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FOREWORD 


There is a relentless struggle taking place in the cy- 
bersphere as government and business spend billions 
attempting to secure sophisticated network and com- 
puter systems. Cyber attackers are able to introduce 
new viruses, worms, and bots capable of defeating 
many of our efforts. The U.S. Government has set a 
goal of modernizing the nation's energy grid. A cy- 
ber attack on our energy grid could cut off service to 
large areas of the country. Government, business, and 
academia must therefore work together to understand 
the threat and develop various modes of fighting cy- 
ber attacks, and to establish and enhance a framework 
for deep analysis for this multidimensional issue. 

The cyber infrastructure protection conference for 
academic year 2010-11 focused on the strategic and 
policy directions, and how these policy directions 
should cope with the fast-paced technological evolu- 
tion. Topics addressed by the conference attempted 
to answer some of these questions: How serious is 
the cyber threat? What technical and policy-based 
approaches are best suited to securing Telecommu- 
nications Networks and Information Systems Infra- 
structure security? What role will government and the 
private sector play in homeland defense against cyber 
attack on critical civilian infrastructure, financial and 
logistical systems? What legal impediments exist on 
efforts to defend the nation against cyber attacks, es- 
pecially in the realm of preventive, preemptive, and 
retaliatory actions? 

Our offerings here are the result of a 2-day collo- 
quium titled Cyber Security Infrastructure Protection, 
conducted on June 8-9, 2011, by the Center of Infor- 
mation Networking and Telecommunications (CINT) 
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at the Grove School of Engineering, the CoUn Powell 
Center for Public Policy — both at the City University 
of New York, City College (CCNY) - and the Strategic 
Studies Institute at the U.S. Army War College. The 
colloquium brought together government, business, 
and academic leaders to assess the vulnerability of 
our cyber infrastructure and provide strategic policy 
directions for the protection of such infrastructure. 

Given the complexities of national security in the 
21st century and the fast-changing nature of the cyber 
domain, the Strategic Studies Institute proudly pres- 
ents the results of this very relevant colloquium. We 
are sure it will be an essential read for both the practi- 
tioner and academic alike to gain a better understand- 
ing of cyber security. 



DOUGLAS C. LOVELACE, JR. 
Director 

Strategic Studies Institute and 
U.S. Army War College Press 


PREFACE 


This book is a follow-on to our earlier book pub- 
lished in 2011 and represents a detailed look at various 
aspects of cyber security. The chapters in this book are 
the result of invited presentations in a 2-day confer- 
ence on cyber security held at the City University of 
New York, City College, June 8-9, 2011. 

Our increased reliance on the Internet, informa- 
tion, and networked systems has also raised the risks 
of cyber attacks that could harm our nation's cyber in- 
frastructure. The cyber infrastructure encompasses a 
number of sectors including the nation's mass transit 
and other transportation systems, railroads, airlines, 
the banking and financial systems, factories, energy 
systems and the electric power grid, and telecommu- 
nications, which increasingly rely on a complex ar- 
ray of computer networks. Many of these infrastruc- 
tures' networks also connect to the public Internet. 
Unfortunately, many information systems, computer 
systems, and networks were not built and designed 
with security in mind. As a consequence, our cyber 
infrastructure contains many holes, risks, and vulner- 
abilities that potentially may enable an attacker to 
cause damage or disrupt the operations of this cyber 
infrastructure. Threats to the safety and security of 
the cyber infrastructure come from many directions: 
hackers, terrorists, criminal groups, and sophisticat- 
ed organized crime groups; even nation-states and 
foreign intelligence services conduct cyber warfare. 
Costs to the economy from these threats are huge and 
increasing. Cyber infrastructure protection refers to 
the defense against attacks on such infrastructure and 
is a major concern of both the government and the 
private sector. 
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A key contribution of this book is that it provides 
an integrated framework and a comprehensive view 
of the various forms of cyber infrastructure protec- 
tion. We, the editors, strongly recommend this book 
for policymakers and researchers. 
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CHAPTER 1 


INTRODUCTION 

Tarek Saadawi 
Louis H. Jordan, Jr. 
Vincent Boudreau 

In recent years, the analysis of cyber security has 
moved into what one might call a series of second-gen- 
eration conversations. The first generation, dominated 
by engineers and computer programmers, regarded 
the issue as primarily a technical matter, and sought 
responses from cyber threats mainly in the develop- 
ment of protective software and hardware design. In 
its early phases, cyber threats were primarily regard- 
ed as politically neutral, and without a great deal of 
economic motivation. Hence, how these threats were 
generated, and what social or political actors or sys- 
tems directed these attacks, mattered little. Up-to-date 
anti-virus software and other protective technology 
were judged sufficient to protect both personal and 
public cyber assets against attack. 

Several things have changed since those early con- 
versations. First, and most obviously, technology has 
grown more complex and more networked. As our 
society demanded more interactive cyber systems, 
the danger of contamination across these systems has 
grown. Second, cyber attacks have become less eco- 
nomically or politically neutral than in previous gen- 
erations. Evidence is mounting that both governments 
and insurgent groups are using cyber platforms as a 
way of mounting attacks. Threats to cyber security 
from economically motivated groups, and especially, 
increasingly well-organized criminal syndicates, are 
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more advanced. Third, innovations in cyber technol- 
ogy each year make increasingly sophisticated cyber 
weapons more widespread. Moreover, as the market 
in malware evolves, the technology can be rented, 
making the threat more and more affordable. Finally, 
trends in technology development suggest that, gen- 
erally, efforts to defend against cyber attacks will al- 
ways be more expensive than efforts to develop new 
forms of attack. Over time, therefore, the possibility 
of developing purely technical solutions to the threats 
against cyber security seems dauntingly uneconomi- 
cal, even if entirely technologically feasible. 

There is a relentless struggle taking place in the cy- 
ber sphere as government and business spend billions 
attempting to secure sophisticated network and com- 
puter systems. Cyber attackers are able to introduce 
new viruses and worms capable of defeating many of 
our efforts. The military depends more on technologi- 
cal solutions than ever before. A cyber attack on mili- 
tary operations could be more devastating than the 
effects of traditional weaponry. Additionally, these 
attacks will come from an unseen adversary who will 
likely be unreachable for a counterattack or counter- 
measure. In this "Fifth" generation of warfare, the 
battlefield is everywhere, and everyone potentially 
becomes a combatant, which causes grave new ques- 
tions in the areas of the law of war as well as national 
sovereignty. The U.S. military must work closer than 
ever before with the various agencies of government, 
business, and academia to understand the threat and 
develop various modes of fighting cyber attacks. 

Where, then, has the discussion of cyber security 
turned? Some answers lie in reversing trends toward 
greater integration and increasing technological so- 
phistication. As cyber threats diffuse across increas- 
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ingly connected networks, some have sought to coun- 
ter them by developing lower- technology systems 
unintegrated with the larger cyber infrastructure, 
simply by having their own isolated cyber islands 
disconnected from the larger cyber systems. Others 
continue — as they must — to fight the war on a tech- 
nological front, developing faster and more sophisti- 
cated ways of countering cyber threats. But for many, 
the evolution of cyber security requires a new and 
deeper understanding of the social, economic, and 
political dynamics that animate cyber terrorism and 
cybercrime. As with conventional security analysis, or 
efforts to decrease or frustrate criminal behavior more 
generally, we have begun to consider how the social 
forces that motivate and govern the generation of 
cyber threats can influence cyber security. By under- 
standing how the market in criminal malware oper- 
ates, or figuring out the dynamics that hold organized 
crime together, cyber security specialists can more ef- 
fectively develop methods of staving off those threats. 
While the last several decades have perhaps encour- 
aged us to think of cyber threats as programs, viruses, 
worms, spyware, and botnets, current conversation 
recalls that people — connected to one another in orga- 
nizations or through networks, motivated by political 
or criminal concerns, living in societies and subject to 
laws — deploy these threats. 

The tools of foreign policy, conventional security 
studies, criminology, sociology, and economic theory 
are all relevant to the analysis of these threats. Deter- 
rence theory, for example, focuses on how to prevent 
people with capacity from acting to inflict harm. Game 
theory explores how different political objectives and 
modes of interaction — reassurance, recognition, secu- 
rity, and prestige — influence exchanges of threat or 
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attack. But if useful, these analytic tools need now to 
navigate an entirely new landscape. How, for instance, 
can one deter an entity that thrives on the secrecy of 
an Internet identity? Are there ways of deterring cyber 
warriors who thrive on the prestige of making a bold 
cyber strike? Can we translate strategies designed 
to influence the behavior of nation-states (who must 
balance a range of goals that include their power, the 
stability of their regimes, and the well-being of their 
populations) to use against smaller networks, with 
neither citizens nor legal standing to worry about? In 
important and obvious ways, we cannot simply turn to 
the established works of social scientists for answers. 

The problem, of course, is compounded by the 
technological side of things, and the fact that social 
scientists, computer scientists, engineers, and tech- 
nicians have an uneven track record of working to- 
gether to solve these problems (though in the current 
environment, work together they must). Does current 
technology allow us to deter a cyber attack credibly? 
If political strategy suggests a move from the exist- 
ing, more defensive posture, to one that favors a pro- 
active attack on insurgent or criminal organizations, 
what might such a weapon look like, and what are the 
broader implications of using offensive cyber weap- 
ons? As such questions illustrate, the solution to many 
of today's most pressing cyber threats (as well as those 
we can imagine emerging in the near and distant fu- 
ture) rests not in the realm of the social sciences, but 
in efforts to integrate lessons derived from those sci- 
ences into the design of technological work; the march 
of cyber technology needs to merge around politically 
informed strategies for the deployment of that tech- 
nology. Hence, while cyber security once functioned 
mainly as a shield to deflect attacks, wherever they 
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came from and however they were directed, contem- 
porary technological design must figure out both how 
to protect cyber assets, and how to identify, interdict, 
disrupt, and frustrate the organizations that mount at- 
tacks against them. 

This book is designed as a way of entering this 
conversation. The chapters in this book were mainly 
presented as papers at the Cyber Infrastructure Pro- 
tection 2011 conference at the City College of New 
York, in early-June 2011. At this conference, present- 
ers were asked to think about the relationship be- 
tween the technical and human elements of the threats 
to cyber security. The discussion was wide ranging, 
including experts in law, criminal behavior, interna- 
tional dynamics, and, of course, technical elements 
of cyber security. This book includes many of those 
papers, as well as several additional contributions. By 
presenting this work, more research and development 
of strategy toward a more integrated approach to cy- 
ber security, which borrows both from the fields of 
technology and engineering and from broader social 
scientific approaches, may take place. 

OUTLINE OF THE BOOK 

The book is divided into three main parts. Part I 
discusses the economic and social aspects of cyber se- 
curity, covering the economics of malicious software 
and stolen data markets as well as the emergence of 
the civilian cyber warrior. Part II deals with laws and 
cybercrime, covering social and justice models for en- 
hanced cyber security, and provides an institutional 
and developmental analysis of the data breach dis- 
closure laws. Part II also provides solutions for the 
critical infrastructure that protect civil liberties and 
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enhanced security, and explores the utiUty of open 
source data. Part III presents the technical aspects of 
the cyber infrastructure and presents monitoring for 
Internet service provider (ISP) grade threats as well as 
the challenges associated with cyber issues. 

ECONOMICS AND SOCIAL ASPECTS 
OF CYBER SECURITY 

The first two chapters in this book provide a 
framework for the economic and social aspects of cy- 
ber security. In Chapter 2, Thomas Holt explains how 
hackers utilize data from a sample of active, publicly 
accessible web forums that traffic in malware and per- 
sonal information to consider the supply and demand 
for various types of malicious software and related cy- 
bercrime services which have a prospective economic 
impact on cybercrime campaigns against civilian and 
business targets. In order to explore and expand our 
understanding of the economics of cybercrime in gen- 
eral, this chapter utilizes a qualitative analysis of a se- 
ries of threads from publicly accessible Russian web 
forums that facilitate the creation, sale, and exchange 
of malware and cybercrime services. The findings ex- 
plore the resources available within this marketplace 
and the costs related to different services and tools. 
Using these economic data, coupled with loss metrics 
from various studies, this analysis considers the pro- 
spective economic impact of cybercrime campaigns 
against civilian and business targets. The findings 
provide insights into the market dynamics of cyber- 
crime and the utility of various malware and attack 
services in the hacker community. In summary, this 
chapter explores the market for malicious software 
and cybercrime services in order to understand the 
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price and availability of resources, as well as the re- 
lationship between the price paid for services and the 
cost experienced by victims of these crimes. 

In Chapter 3, Max Kilger focuses on the civilian cy- 
ber warrior — who poses perhaps the most significant 
emerging threat to domestic and foreign critical infra- 
structures. Chapter 3 starts by providing some basic 
background for a schema that outlines six motivation- 
al factors that encourage malicious online behaviors. 

The key concept is that perhaps for the first time 
in history, an everyday ordinary civilian can effec- 
tively attack a nation-state — in this case, through a 
cyber attack on some component of that nation-state's 
critical infrastructure. "Effectively" here means that 
the attack can cause significant widespread damage 
and has a reasonably high probability of success and a 
low probability of the perpetrator being apprehended. 
One of the first things that one might want to inves- 
tigate in the chain of actions for a terrorist act is the 
initial starting point, where individuals begin think- 
ing about and rehearsing in their minds the nature, 
method, and target for the terrorist attack. A key point 
for historical and social significance of the emergence 
of a civilian cyber warrior is the psychological signifi- 
cance of the event. The reassessment of the usual as- 
sumptions of the inequalities of the levels of power 
between nation-states and citizens establishes new 
relationships between institutions of society, govern- 
ment, and individuals. 

An initial examination of the severity of physical 
attacks and cyber attacks that respondents feel are ap- 
propriate to launch against a foreign country bring 
both good news and bad news to the table. On the 
one hand, the vast majority of respondents select only 
responses that have minor or no consequences to the 
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targeted foreign country. On the other hand, there are 
a nontrivial number of respondents who personally 
advocate the use of physical and cyber attacks against 
a foreign country that have some moderate to very 
serious consequences. While there is some comfort in 
the fact that expressing intentions to commit terrorist 
acts is only the first link in the behavioral chain from 
ideation to the execution of an attack, and bearing 
in mind that this is a scenario-based situation, even 
a small incidence of individuals who would consider 
some of the most serious acts is troubling. This sug- 
gests that the emergence of the civilian cyber warrior 
(and perhaps the physical attack counterpart) is an 
event to take into account when developing policies 
and distributing resources across national priorities to 
protect national critical infrastructures. Knowing the 
enemy can be a key element in gaining a comprehen- 
sive perspective on attacks against online targets. 

LAW AND CYBERCRIME 

Legal and cybercrime are explored in Part II of this 
book. In Chapter 4, Michael M. Losavio, J. Eagle Shutt, 
and Deborah Wilson Keeling argue that to change 
the game in cyber security, we should consider crimi- 
nal justice and social education models to secure the 
highly distributed elements of the information net- 
work, extend the effective administration of justice 
to cybercrime, and embed security awareness and 
competence in engineering and common computer 
practice. Safety and security require more than techni- 
cal protections and police response. They need a criti- 
cal blend of these elements with individual practice 
and social norms. Social norms matched with formal 
institutions enhance public safety, including in the 
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cyber realm. Informal and formal modes of control- 
ling and limiting deviant behavior are essential for 
effective security. 

Chapter 4 suggests that routine activity theory, op- 
portunity theory, and displacement theory — frame- 
works for analyzing crime in communities — are ways 
to conceptualize and pattern the benefits of informal 
social control on cyber security. Routing Activity The- 
ory (RAT) presents that, for cyber security, the analy- 
sis should equally consider the availability of suitable 
targets, a presence or lack of suitable guardians, and 
an increase or decrease in the number of motivated 
of fenders — particularly those seeking financial gain 
or state advantage. Online social networks them- 
selves suggest opportunities for the examination of 
RAT-based security promotion. Facebook, MySpace, 
and Livejournal are online social networks that can 
promote cyber security within and without their do- 
mains. RAT can also be applied to criminal activity 
involving computing systems. Criminological princi- 
ples to cyber security also relate to the use of criminal 
profiling and behavioral analysis. The reactive use of 
these techniques, much like the use of technical digital 
forensics in network settings, serves to focus an inves- 
tigation and response in particular areas and on par- 
ticular individuals. The proactive use of profiling can 
deter or prevent crime, such as drug courier profiling. 

In Chapter 5, Melissa Dark considers the state data 
breach disclosure laws recently enacted in most states 
of the United States. Three reasons make the state data 
breach disclosure laws of interest: (1) the rapid policy 
growth; (2) the first instance of an informational regu- 
lation for information security; and, (3) the importance 
of these laws to prevent identity theft and to protect 
privacy. Technological advancements are changing 
the information security and privacy landscape con- 
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siderably. Yet, these policies are blunt instruments not 
suited to careful excision of these ills. Some advocates 
of modifying existing laws assert that the outcome of 
data breach disclosure should be to motivate large- 
scale reporting so that data breaches and trends can 
be aggregated, which allows a more purposeful and 
defensive use of incident data. 

In Chapter 6, Joshua Gruenspecht identifies some 
problems of identity determination that raise some of 
the most complicated unresolved issues in cyber secu- 
rity. Industry and government are pursuing a number 
of approaches to better identify communicants in or- 
der to secure information and other assets. As part of 
this process, some policymakers have suggested that 
fundamental changes to the way in which the Inter- 
net transmits identity information may be necessary. 
Authentication is "the process of establishing an un- 
derstood level of confidence that an identifier refers 
to a particular individual or identity." Authentica- 
tion often involves an exchange of information before 
some other transaction in order to ensure, to the extent 
necessary for the transaction at hand, that the sender 
of a stream of traffic is who he or she claims to be or 
otherwise has the attributes required to engage in the 
given transaction. Attribution is the analysis of infor- 
mation associated with a transaction or series of trans- 
actions to try to determine the identity of a sender of 
a stream of traffic. Information collection and analysis 
is the focus of attribution. This chapter focuses on au- 
thentication and attribution; two other issues closely 
relate to identity and are critical elements of any se- 
cure system: authorization and auditing. This chapter 
considers these problems and concludes that authen- 
tication-oriented solutions are more likely to provide 
significant security benefits and less likely to produce 
undesirable economic and civil liberties consequences. 
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In Chapter 7, George W. Burruss, Thomas J. Holt, 
and Adam M. Bossier focus on the value of open re- 
porting for malware creation and distribution. The 
authors consider how this information combines with 
other measures to explore the country-level economic, 
technological, and social forces that affect the likeli- 
hood of malware creation. The chapter proposes that 
online repositories containing data on malicious soft- 
ware can be valuable to study the macro-level correla- 
tions of malware creation. The data for the dependent 
variable used for this study (MALWARE) came from 
an open source malware repository where individ- 
uals could post information obtained on malicious 
software. The data for the independent variables de- 
rive from the CIA World FadBook and from Freedom 
House, a nongovernmental agency that collects an- 
nual data on political freedom around the globe. The 
chapter concludes that the diverse and sophisticated 
threats posed by hackers and malicious software writ- 
ers require significant investigation by both the tech- 
nical and social sciences to understand the various 
forces that affect participation in these activities. The 
chapter suggests that there is a strong need for greater 
qualitative and quantitative examinations of hacker 
communities around the world. Research on hacker 
subcultures in the United States, China, and Russia 
suggests that there are norms, justifications, and be- 
liefs that drive individual action. 
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CYBER INFRASTRUCTURE 


In Chapter 8, Abhrajit Ghosh presents a compre- 
hensive view of network security from several years 
of research conducted at Telcordia; in particular, the 
problem of monitoring large-scale networks for ma- 
licious activity. The goal of the developed system is 
to detect various types of network traffic anomalies 
that could be caused by Distributed Denial of Service 
(DDoS), spamming, Internet protocol (IP) address 
spoofing, and botnet activities. Currently, three types 
of anomaly detectors are provided to collect data and 
generate alerts: (a) Volume Anomaly Detectors; (b) 
Source Anomaly Detectors; and, (c) Profile Anomaly 
Detectors. The goal of the source anomaly detectors 
is to identify instances of source IP address spoofing 
in observed flows. Here data for the monitored ISP is 
acquired via NetFlow/sFlow data feeds from three 
flow agents. The profile anomaly detectors can detect 
any behavioral anomalies pertaining to hosts within 
the monitored network. 

One profile anomaly detector that is currently 
part of the system can identify potential spammers 
using flow data and spammer blacklists. The Telcor- 
dia system incorporates an efficient real-time volume 
anomaly detector designed to give early warning of 
observed volume anomalies. The volume anomaly 
detector operates by considering a near-term moving 
window of flow records when computing traffic trav- 
els to a destination address. The system incorporates 
a correlation engine that correlates alerts generated by 
the different types of anomaly detectors. A significant 
issue with many anomaly detection-based approaches 
is their potentially high false-positive rate. The cor- 
relation engine component is designed to reduce the 
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possibility of generating false-positives. Finally, the 
use of an alert correlation component is valuable to 
a network operator who would be very interested in 
lowering false-positive rates. 

The goal of Chapter 9, written by Stuart Starr, is 
to explore the state-of-the-art in our ability to assess 
cyber issues. To illuminate this issue, the author pres- 
ents a manageable subset of the problem. Using that 
decomposition, he identifies candidate cyber policy 
issues that warrant further analysis and identifies 
and illustrates candidate Measures of Merit (MoMs). 
Subsequently, Starr characterizes some of the more 
promising existing cyber assessment capabilities that 
the community is employing. That discussion is fol- 
lowed by an identification of several cyber assessment 
capabilities that are necessary to support future cyber 
policy assessments. The chapter concludes with a brief 
identification of high priority cyber assessment efforts 
to pursue. 
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PART I: 

ECONOMICS AND SOCIAL ASPECTS 
OF 

CYBER SECURITY 
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CHAPTER 2 


EXPLORING THE ECONOMICS 
OF THE MALICIOUS SOFTWARE MARKET 

Thomas J. Holt 

This research was sponsored by the National In- 
stitute of Justice, Award No. 2007-IJ-CX-0018 (August 
2007-November 2009). The points of view within this 
document are those of the author and do not necessar- 
ily represent the official position of the U.S. Depart- 
ment of Justice. 

INTRODUCTION 

The growth and function of malicious software 
markets have caused a shift in the way that hackers 
use and access malware with varying degrees of skill. 
Specifically, web forums allow individuals to pur- 
chase access to sophisticated malicious software to 
victimize vulnerable systems and individuals and to 
sell the data they illegally obtain for a profit. Those 
with limited technical capabilities can utilize products 
sold in these markets to engage in attacks, while in- 
dividuals with greater skill can generate a profit by 
providing access to their infrastructure and resources. 
While researchers are constantly exploring these mar- 
kets to identify emerging threats, few have considered 
the actual economic conditions that affect the market, 
including the costs and benefits for offenders, and the 
losses incurred by affected victim computers. This 
qualitative study utilizes data from a sample of active 
publicly accessible web forums that traffic in malware 
and personal information to determine: the supply 
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and demand for various types of malicious software 
and related cybercrime services; the offenders' costs 
associated with multiple forms of attacks; and the pro- 
spective economic impact of cybercrime campaigns 
against civilian and business targets. The findings will 
benefit computer security practitioners, law enforce- 
ment, and the intelligence community by exploring 
the market dynamics and scope of the underground 
economy for cybercrime. 

OVERVIEW 

As technology increasingly permeates all facets 
of modern life, the risks posed by cyber attacks have 
increased dramatically.^ Hackers target all manner of 
systems around the world in order to steal informa- 
tion, compromise sensitive networks, and establish 
launch points for future attacks.^ In fact, evidence 
suggests that the number of computer security inci- 
dents has increased as more countries connect to the 
Internet.^ Many of these attacks stem from computer 
hackers living in China, Russia, and Eastern Europe.* 
A sizeable proportion of these actors utilize malicious 
software, or malware, to automate various aspects of 
an attack.^ 

Malicious software, including viruses, Trojan horse 
programs, and various other tools, simplify or auto- 
mate portions of a compromise, making it possible to 
engage in more sophisticated or complex intrusions 
beyond the true skills of the attacker.^ In addition, 
the emergence of botnet malware, which combines 
multiple aspects of existing malware into a single pro- 
gram, enables hackers to establish stable networks of 
infected computers around the world. ^ These botnets 
can engage in attacks ranging from the distribution 
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of spam, denial of service attacks, and network scan- 
ning. The growth of botnet malware in the computer 
underground has revolutionized malware, leading 
individuals to lease out their infrastructure to the 
larger population of semi-skilled hackers to engage 
in attacks.^ 

The evolution of malware has led to the formation 
of an online marketplace for the sale and distribution 
of malicious software, stolen data, and hacking tools.'^ 
These markets largely operate in forums and Internet 
Relay Chat (IRC) channels in Russia and Eastern Eu- 
rope and enable hackers to buy or sell various tools 
and services to facilitate attacks against all manner of 
targets. Few studies have, however, considered the 
impact of these markets on the economics of cyber- 
crime for both victims and offenders. For instance, the 
ability to purchase sophisticated malware may reduce 
the time an individual must invest in an attack, and 
diminish the requisite knowledge needed to hack.^° In 
addition, limited research has considered the supply 
and demand for different services within the malware 
market, calling into question the perceived value of 
certain tools and attacks relative to other offenses. Fi- 
nally, the lack of concrete loss metrics on the impact of 
cybercrime in both the public and private sector make 
it difficult to understand the profits a cybercriminal 
may acquire. 

In order to explore these issues and expand our 
understanding of the economics of cybercrime in gen- 
eral, this chapter utilizes a qualitative analysis of a se- 
ries of threads from publicly accessible Russian web 
forums that facilitate the creation, sale, and exchange 
of malware and cybercrime services. The findings ex- 
plore the resources available within this marketplace 
and the costs related to different services and tools. 
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Using this economic data coupled with loss metrics 
from various studies, this analysis considers the pro- 
spective economic impact of cybercrime campaigns 
against civilian and business targets. The findings 
provide insights into the market dynamics of cyber- 
crime and the utility of various malware and attack 
services in the hacker community. 

HACKING, MALWARE MARKETS, AND THE 
ECONOMIC IMPACT OF CYBERCRIME 

In order to examine malicious software markets, 
it is critical to first understand the general dynamics 
of the hacker community, whose members create and 
utilize malware. Hackers operate within a subculture 
that values profound and deep connections to technol- 
ogy.^^ This subculture is also a meritocracy, in which 
participants judge one another based on their capacity 
to utilize computer hardware and software in innova- 
tive ways.^^ Those who can devise unique tools and 
identify new vulnerabilities garner respect from their 
peers and develop a reputation for skill and ability 
within the subculture. 

There are, however, a limited number of individu- 
als with the knowledge or skill necessary to engage 
in truly sophisticated hacks and attacks." A larger 
proportion of the hacker community has some de- 
monstrable skill and can understand both the theory 
and mechanics behind an attack, but may not be able 
to create all the tools necessary to complete an at- 
tack on their own. Thus, they may seek out resourc- 
es from those with greater skill in order to improve 
their capabilities. Similarly, a portion of the hacker 
community simply seeks to engage in attacks or ap- 
plications of hacking without developing the requisite 
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knowledge necessary to complete the act.^* These ac- 
tors are referred to as "script kiddies," because they 
try to acquire malicious software and use these pro- 
grams without understanding the full functionality or 
processes affected. 

The variation in skill and ability within the hacker 
community, coupled with a strong desire for the free 
flow of information, led hackers to trade and distrib- 
ute tools and information on and offline regularly.^^ In 
the 1980s and 1990s, individuals would often barter 
for new resources, whether through trading stolen in- 
formation or credentials, bulletin board system (BBS) 
access, or other valuable resources.^^ The creation of 
electronic payment systems and changes in the popu- 
larity of technology and information sharing, how- 
ever, has engendered the growth of online markets 
where hackers can sell tools and data.^^ 

Examinations of these marketplaces indicate that 
hackers can now buy and sell resources to facilitate 
attacks or information acquired after a compromise. 
Hackers regularly sell credit card and bank accounts, 
pin numbers, and supporting customer information 
obtained from victims around the world in lots of tens 
or hundreds of accounts. Individuals also offer cash- 
out services to obtain funds from electronic accounts 
or automated teller machine systems (ATMs) offline, 
as well as checking services, to validate whether an 
account is active, as well as any available balances. 
Spam- and phishing-related services are also available 
in Internet relay chat (IRC) channels, including bulk 
email lists to use for spamming and email injection 
services to facilitate responses from victims.^' Some 
sellers also offer Distributed Denial of Service (DDoS) 
services and web hosting on compromised servers.^" 
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These studies clearly demonstrate the burgeoning 
marketplace for hacking tools and stolen data, and 
some insights into the costs of goods and services. Few, 
however, have considered how the fee structures and 
pricing for malware and data services may affect of- 
fender decisionmaking. For instance, it is unclear how 
much an individual may earn from a spam, denial of 
service, or malware infection campaign relative to his 
or her initial investment. This is due to the substantial 
difficulty in obtaining information about the losses to 
individual and corporate victims of cybercrime.^^ In- 
trusions and attacks are often unreported to law en- 
forcement, particularly in corporate settings, because 
businesses may not recognize, or may cover up, the 
problem to minimize customer concerns.^^ Similar is- 
sues arise in estimating the losses individual citizens 
experience due to cybercrime. Many home users may 
not recognize that their computer has been compro- 
mised or perceive that the incident may not be investi- 
gated or taken seriously by law enforcement.^^ 

As a consequence, there are few official statistics 
available on the prevalence of cybercrimes reported 
to law enforcement agencies.'* For instance, this infor- 
mation is not provided in the Federal Bureau of Inves- 
tigation's (FBI) annual Uniform Crime Reports, and 
few industrialized nations report cybercrime through 
a central government outlet.^^ There are also a limited 
number of outlets that report the economic impact of 
computer intrusions and cyber attacks. This is due to 
the difficulty in accurately estimating the costs related 
to clean and mitigate an infection or patch all affected 
systems.^^ The variation in the impact of an attack also 
makes it difficult to determine appropriate loss met- 
rics. For example, it is unclear whether the estimated 
financial harm of a DDoS attack is based on the pro- 
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spective loss of revenue from prospective customers 
or losses to employee productivity. 

As a consequence, data on the costs of cybercrime 
are largely generated by small samples of corpora- 
tions willing to provide information based on attacks 
within their environments.^^ Similarly, the Internet 
Crime Complaint Center is one of the few outlets that 
provides consistent statistics on the economic impact 
of certain forms of cybercrime victimization in the 
general population.^^ The reported estimates use only 
self-reported victimization as the basis for examina- 
tion. Thus, it is unknown how common these offenses 
are in the general population or how the variation in 
losses affect individual behavior while online. 

In light of the significant gap in our knowledge of 
the economics of cybercrime for both offenders and 
victims, this chapter will explore this issue using a 
qualitative analysis of 909 threads from 10 active web 
forums in Russia and Eastern Europe that are involved 
in the creation, sale, and distribution of malicious soft- 
ware. This chapter will explore the products and ser- 
vices available in the market, as well as the supply, 
demand, and price for these resources. In turn, this in- 
formation will be used to develop estimates for profit 
margins based on costs and loss metrics for cybercrime 
campaigns against civilian and business targets. 

Data and Methods. 

The data for this study came from a sample of 10 
publicly accessible web forums; six of these forums 
trade in bots and other malicious code, while four 
provide information on programming, malware, and 
hacking.2^ These data were collected as part of a larger 
project examining botnets using a snowball sampling 
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procedure in Fall 2007 and Spring 2008.^° Specifically, 
two English language forums were identified through 
google.com, using the search term "hot virus carder fo- 
rum dump." This is a standard technique used by so- 
cial scientists to collect qualitative data online to obtain 
a wide sample of prospective sites. After exploring 
the content of publicly accessible threads from these 
two sites, six other Russian language forums were 
identified via web links provided by forum users. In 
fact, most participants in forums involved in the sale 
and trade of malware communicate using the Russian 
language. Thus, a sample of threads from each of 
these forums was examined by a native-speaking Rus- 
sian research assistant to ensure the content focused 
on the sale and exchange of malware. Four additional 
Russian language forums were identified through 
links provided in these sites to create this sample of 
ten forums. Six of these forums focus exclusively on 
either open sales or requests for malicious software, 
hacking tools, cybercrime services, and stolen data. 
The remaining four forums provide a mix of sales, in- 
formation sharing, and resources to facilitate hacking 
and malware creation. The names of each forum have 
been removed to maintain some confidentiality for the 
participants and forum operators. 

Within these 10 forums, all of the available publicly 
accessible threads were downloaded and saved as web 
pages. There was a significant volume of information 
obtained, though the first 50 threads from each forum 
were translated from Russian to English to assemble a 
convenient sample of threads. A certified professional 
translator translated the first 50 threads from eight of 
the 10 forums. Additionally, 25 threads from Forum 
06 and 21 threads from Forum 05 were translated. Due 
to limited translator availability and duplicate transla- 


24 


tions in some of the forums, a native Russian graduate 
student translated additional content.^^ This student 
translated an additional 150 threads from Forums 03 
and 04, and an additional 138 threads from Forum 05. 
These three forums were selected for further analy- 
sis, since they were very active and provided greater 
detail on the activities and practices of actors within 
malware markets. Duplicate threads were translated 
to determine translator reliability, which appeared 
high across the two translators. 

A total of 909 threads derived from this conve- 
nient, yet purposeful sample of 10 forums. The threads 
consisted of 4,049 posts, which provided a copious 
amount of data to analyze (see Table 2-1 for forum in- 
formation). Moreover, the forums had a range of user 
populations, from only 35 to 315 users. These threads 
span a 4-year period, from 2003 to 2007, though the 
majority of threads were from 2007. 

The translated threads were then printed and ana- 
lyzed by hand to consider both the prevalence and 
cost of products and services bought and sold in these 
forums. A content analysis was conducted to iden- 
tify products, resources, and materials either sold or 
sought out in these markets. Advertisement content 
was coded based on the details provided. A post was 
coded as a sale if an individual stated that he or she 
was "selling," "offering," or otherwise providing a 
service. Requests for products were coded based on 
the language used, such as "need," "buying," or "seek- 
ing." Each item either requested or sold was coded in- 
dividually, such that an advertisement selling both a 
piece of malware and a spam database were coded as a 
single spam database and malware. Thus, the number 
of advertisements is larger than the overall number of 
threads where the advertisements appeared. 
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Forum 

Total 
Number of 
Strings 

Total Number 
of Posts 

User 
Population 

Timeframe 
Covered 

01 

50 

183 

88 

6.00 months 

02 

50 

164 

50 

20.00 months 

03 

200 

1,203 

315 

10.75 months 

04 

200 

812 

273 

12.50 months 

05 

159 

369 

153 

6.75 months 

06 

50 

251 

82 

36.25 months 

07 

50 

379 

116 

29.50 months 





00. UU IIIUIILIIo 

09 

50 

172 

35 

10.50 months 

10 

50 

225 

95 

1.50 months 

Total 

909 

4,049 

1,302 



Table 2-1. Descriptive Data on Forums Used. 


The threads were also analyzed to determine the 
services either being sold or requested. Services were 
coded into categories based on the content of the ad. 
Specifically, any ad that provided a service, such as 
the delivery of spam, web hosting, and hacking was 
coded as "cybercrime services." Ads related to mali- 
cious software, including bots, Trojan horses, and 
iFrame tools, were coded as "malware." Individuals 
buying or selling credit card account information, re- 
cords from keystroke logs on compromised machines, 
or other resources were placed into the category 
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"stolen data." The tag "ICQ numbers" were used for 
ads selling or requesting ICQ numbers for their per- 
sonal use. Any advertisement that appeared to be for 
legitimate products such as computer hardware or 
software, video game resources, legitimate security or 
programming services, or other products were placed 
under the tag "Other Services." Information on stolen 
data, ICQ numbers, and other services are excluded 
from this analysis, since they comprise only 36 per- 
cent of all threads observed, and are ancillary to ma- 
licious software production and services to facilitate 
cybercrime. Thus, removing these threads enables 
this analysis to focus on malicious software and cy- 
bercrime services in depth. 

In order to examine the economics of cybercrime, 
simple equations and statistics will use data generated 
from two well known and highly regarded sources: 
the Computer Security Institute's (CSI) Annual Com- 
puter Crime and Security Survey and the Internet Crime 
Complaint Center's (IC3) Annual Internet Crime Report. 
The CSI report is developed in conjunction with the 
FBI and provides one of the few available resources 
for statistics on the economic impact of cybercrime in 
corporate settings. This survey is distributed to 5,000 
businesses and organizations across the United States 
via physical and electronic mail.^^ Two follow-up so- 
licitations are made, and the response rate is usually 
between 5 and 10 percent of all total recipients. As a 
result, the figures presented are most likely biased 
samples that may not accurately reflect the true costs 
of various attacks across businesses and institutions. 

A similar bias is evident in the statistics provided 
by the Internet Crime Complaint Center. The agency is 
a joint operation of the FBI and National White Collar 
Crime Center, which takes reports from individuals 
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who self-identify as victims of certain types of online 
fraud. Individuals must report any incident via an 
online form hosted on the IC3 website. Anyone who 
is not aware of this resource may not report his or her 
experiences, reducing the generalizability of the data. 
Additionally, since victims must estimate the loss they 
have experienced, the reported statistics may not ac- 
curately reflect the true costs of victimization. 

Despite the validity and generalizability of the sta- 
tistics produced by these agencies, there are few other 
consistently reported and widely cited resources on 
the economic harm caused by cybercrime. Thus, the 
data produced by these agencies preclude strong con- 
clusions and limit the generalizability of the analysis. 
The significant lack of research in this area, however, 
demands that some exploratory investigation be con- 
ducted to provide initial estimates for both corporate 
or individual losses and the general return on invest- 
ment for cybercrime. The statistics presented are based 
on the 2008 reports provided by each agency, since 
they reflect all reported incidents for the 2007 calen- 
dar year. This creates a consistent data point between 
the forum content and the economic harm reported 
by victims of cybercrime. Since the CSI received a 
very low response rate in 2008 and did not publish 
all economic loss estimates, data from the 2007 CSI re- 
port^^ will also be used to provide cost measures for 
certain offenses. 

Finally, all the economic data estimated in this 
analysis do not include labor costs. It is unknown 
how many man-hours may be required to complete a 
successful attack due to variations in the actors' skill 
and technical expertise. Similarly, the time spent to 
generate new infections or maintain an existing com- 
promise may differ by attacker, based on the sophisti- 
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cation and ease with which they can manage the tools 
at their disposal.^' Certain attacks may also require no 
investment on the part of the offender when paying 
for a service like a DDoS attack. Thus, time and labor 
costs will not be included in these economic estimates 
due to the difficulty in computing these figures. 

FINDINGS 

Before discussing the products available, it is 
necessary to consider the structure of the market as 
a whole. These forums comprise an interconnected 
marketplace composed of unique threads that act as 
an advertising space. Individuals created threads by 
posting their products or services to the rest of the 
forum. Alternatively, posters could describe in detail 
what they wanted in buying or acquiring on the open 
market. Both buyers and sellers provided as thorough 
a description of their products or tools as possible, in- 
cluding contact information, pricing information, and 
payment methods. Actors within these markets com- 
municated primarily through the instant messaging 
protocol ICQ or email, which they can encrypt to pro- 
tect both participants during the sales process. Some 
also used the private message (PM) feature built into 
each forum. PMs ensure quick contact and act as an 
internal messaging system for each site, though they 
may not be as secure. 

Prices were in either U.S. dollars or Russian rubles, 
along with the desired method of payment through 
a web-based electronic payment system. Most partici- 
pants used WebMoney [WM] or Yandex, since they 
enable the near-immediate transmission of funds be- 
tween participants, with no need for face-to-face in- 
teractions. In addition, four of the forums identified 
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offered guarantor payment services, in which indi- 
viduals act as middlemen to hold money on behalf of 
a buyer until the seller delivers the products or ser- 
vices ordered.^" Guarantor services ensure a higher 
likelihood of successful transactions, because both the 
buyer and seller are aware they can withdraw that 
payment depending on delivery of an order. Thus, 
access to a guarantor service is an important way to 
ensure that transactions are successfully completed in 
a timely fashion. 

There were, however, no actual public transactions 
of services observed in these forums. Instead, buyers 
and sellers gave some indication of how the process 
operated. An interested individual would contact the 
advertiser via ICQ or email and negotiate the cost for 
services rendered. The prospective buyer then pays for 
the product and awaits delivery from the seller. Many 
sellers indicated that they must receive payment in 
advance of services rendered. This process introduces 
the potential for buyers to lose money should a good 
or service fail to be provided, and facilitates buyers 
being cheated by untrustworthy operatives. As a re- 
sult, the sales process appears to favor sellers rather 
than buyers. 

Malware. 

The most common resource available in malicious 
software markets were Trojan horse programs (see 
Table 2-2 for breakdown).^^ There were 78 ads related 
to Trojan horse programs, comprising 31.7 percent of 
all malware for sale. The cost of these programs var- 
ied significantly, from $2 to $5,000, depending on the 
quality and sophistication of the resource. A variety 
of Trojan horses were sold, ranging from well-known 
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resources like Pinch, which can steal information from 
over 30 well-known programs, to keylogging Trojan 
horses designed to steal funds from WebMoney ac- 
counts. There was a relative balance between sale ads 
(51.6 percent) and custom request ads (49.4 percent) 
seeking Trojan horse programs. Thus, there is still a 
significant demand for novel or unique Trojan horses 
with special qualities that may not otherwise sell on 
the open market. 

The second most common malware were iFrame 
tools that enable the distribution and infection by 
unique malicious code through web browsers (30.5 
percent). The concept and design of iFrames originate 
with .html programming to seamlessly push multiple 
.html files to a browser in a single page of content with- 
out the need for user interaction."*^ Hackers subverted 
this design function, however, to surreptitiously send 
malware to unsuspecting users. In fact, individuals 
sold iFrame "exploits" and "packs" one could place 
on a server to infect the personal computers of indi- 
viduals who visit web pages hosted there. This type of 
attack exponentially increases the infection vector for 
malicious software, and the risk of identity theft, data 
loss, and computer misuse. There were 14 ads (66 
percent) selling access to iFrame scripts and infection 
packs, indicating there is a healthy supply of these 
tools on the market. The proportion of requests for 
these resources (34 percent) also suggests there is still 
a substantial demand for iFrame malware. The price 
for these products ranged from $2 to $450, depending 
on the quality and sophistication of the resource. This 
is somewhat lower than the prices for Trojan hors- 
es, potentially because of the unique application of 
iFrame tools and the knowledge required to establish 
the infrastructure and support infections. 
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Resources 
Max. 

Number of 
Average 

Percent of 

Buy 

Percent of 

Sell 

Percent of 

Min 


Posts 



Total 

Posts 

Total 



Price 

Bots 

16 

6.5 

8 

50 

8 

50 

30 

2,000 

322.27 

Bugs 

3 

1.2 

3 

100 

0 

0 

40 

40 

40.00 

Cryptors, 
Joiners, and 

Engines 

47 

19.1 

13 

27.6 

34 

72.4 

0.20 

49 

13.03 

FTP Resources 

27 

11.0 

15 

55.6 

12 

44.4 

20 

1,000 

271.66 

iFrames and 
Traffic Sales 

75 

30.5 

26 

34.7 

49 

65.3 




Tools 

21 

28.0 

7 

33.3 

14 

66.6 

2 

450 

79.25 

Traffic 

54 

72.0 

19 

35.2 

35 

64.8 

1 

500 

110.84 

Trojan horses 

78 

31.7 

38 

48.7 

40 

51.3 

2 

5,000 

742.97 

Total 

246 

100 

103 

41.9 

143 

58.1 





Table 2-2. Malware and Related Services Offered 
in Hacker Forums. 


In addition, 72 percent of all iFrame ads involved 
hackers leasing access to their active iFrame infra- 
structure on compromised servers through "traffic 
streams." Selling traffic enabled individuals to make 
a profit by uploading someone else's malware to the 
server so that it could be used to infect individual us- 
ers. There were a number of iFrame traffic sellers, and 
their ads comprised 64.8 percent of the traffic market, 
suggesting that there may be some saturation of this 
resource in the hacker community. Most traffic stream 
providers based their pricing on 1,000 infections, with 
an average cost of $110.84 per 1,000 systems. Sellers 
also explained that they could acquire infections in 
specific countries, and streams in the United States 
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tended to have the highest price overall. Mixed traffic 
from various countries around the world was sold at 
the lowest overall price. 

The third most prevalent form of malware sold 
were programs designed to either conceal or encrypt 
malicious code so it could be sent and activated un- 
detected by antivirus programs. These tools were 
largely referred to as cryptors, and comprised 19.1 
percent of the total programs offered in the malware 
market. Most individuals sold cryptors (72.4 per- 
cent), suggesting that these tools are readily available 
across the market. The average price for a cryptor 
was $13.03, which is substantially lower than all other 
forms of malware. This may stem from the utility of 
cryptor software, since it is not necessary to facilitate 
an attack. Thus, individuals may be more likely to 
sell these programs at a lower price in order to attract 
prospective customers. 

Hackers also offered compromised File Transfer 
Protocol (FTP) servers, which hold sensitive informa- 
tion including web page content, databases, email ac- 
counts, and other data. FTP resources comprised 11 
percent of the overall malware market, and the price 
depended on the quality and quantity of data offered. 
The average cost of FTP resources was $271.66 per 
item, and there was a substantial demand for these 
services. In fact, 55 percent of the ads involved re- 
quests for specific servers or attacks. Thus, individu- 
als could seek out someone to complete an attack on 
their behalf as a service, rather than take the time to 
complete this act on their own. 

The final types of malware offered in the markets 
were bots, which constitute 6.5 percent of all malware 
bought and sold. Eight individuals offered either 
unique executables of bot programs or leased their ex- 
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isting infrastructure for spam distribution or as an at- 
tack platform. There was an equal demand for custom 
builds of bot malware, suggesting there was a strong 
demand to create and establish individual botnets. 
The average cost of bot services was also higher than 
that of iFrame resources at $322.27, but lower than the 
price of a Trojan horse. The generally small proportion 
of ads related to bot malware may stem from the size- 
able proportion of botnet-driven services available in 
the market. 

Cybercrime Services. 

A diverse range of products enabling individuals 
to engage in a variety of cybercrimes was also available 
in the market, including Distributed Denial of Service 
(DDoS) attacks, spam, attacks, and hosting malicious 
content online (Table 2-3). The primary service offered 
in these forums related to the distribution of spam 
(32.4 percent), or unwanted messages to email ac- 
counts, ICQ numbers, and mobile phones. The largest 
subcategory related to spam involved email databases 
that could be used to create distribution lists for spam 
delivery. Database sales and requests comprised 46.5 
percent of the overall spam threads. Twenty-four indi- 
viduals across five of the sites sold databases for spam, 
with variable costs based on the number of emails and 
the country location for each address. The majority 
of these ads involved sales of existing databases (78.8 
percent), suggesting that there is a substantial supply 
of email addresses in the marketplace. 
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Resources 

Number 
Percent of 
Posts Total 

Percent of 
Min. Total 
Price 

Buy Max. 
Posts 
Price 

Percent of 
Average 
Total Price 

Sell post 

DDoS* 

29 

13.01 

0 

0.0 

29 


100.0 

0.41 

25 

14.26 


Hacking Services 47.7 

30 

14.0 

16 

53.3 

14 

Compromise 45.5 

11 

36.7 

6 

54.5 

5 

Email/Passwords 47.4 

19 

63.3 

10 

52.6 

9 

Proxies and VPN 84.0 

25 

11.4 

4 

16.0 

21 

Proxy 80.0 

20 

80.0 

4 

20.0 

16 

VPN 100.0 

5 

20.0 

0 

0.0 

5 

Spam Services 80.3 

71 

32.4 

14 

19.7 

57 

Databases 

33 

46.5 

7 

21.2 

26 

78.80.50 

100 

45.43 




Services 

23 

32.4 

3 

13.0 

20 

87.00.50 

700 

50.91 




Tools 

15 

21.1 

4 

26.7 

11 

73.32.00 

180 

59.11 




Web Hosting and Services 
90.6 

64 

29.2 


9.4 

58 

Domains 91.7 

24 

37.5 

2 

8.3 

22 

Hosting 

30 

46.9 

3 

10.0 

27 

90.00.853.00 

48.89 





Registration 

10 

15.6 

1 

10.0 

9 

90.09.00 

150 

50.17 




Total 82.2 

219 

100.0 

39 

17.8 

180 

* Due to variation in pricing, DDoS estimates are based on the stated hourly rate or an average 
hourly rate based on prices for 24-hour attack. 


Table 2-3: Cybercrime Services Offered in Hacker 
Forums.* 


*Due to significant missing data, hacking services, domain sales, 
and VPN service pricing are not included here. 
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The second largest subcategory of spam involved 
ads related to the actual distribution of spam mes- 
sages. The majority of these ads were sales-related (87 
percent), suggesting that there was significant market 
saturation for this service. In addition, the price for 
spam distribution was generally low, with an average 
of $50.91. Sellers often described giving substantial 
discounts for sizeable deliveries, with the final cost 
for spam distribution at an average of less than .0001 
cent per message. Thus, the distribution of spam is a 
relatively inexpensive service to acquire. Finally, there 
were 18 threads (21.1 percent) pertaining to scripts 
and mailing programs to facilitate the distribution of 
spam. The average price for spam tools was $59.11, 
which was the most expensive average price in this 
category. The proliferation of spam resources suggests 
that this is now a service-driven product for attackers, 
requiring minimal knowledge of computer systems 
and networks. 

Individuals also offered services to support a vari- 
ety of malicious web content. Hackers need resources 
to host malicious content, such as malware or cracked 
software; thus, web hosting and domain resources 
comprised 29.2 percent of the threads related to cyber- 
crime services in these markets. There were 30 threads 
related to web hosting made by 22 different user- 
names in five forums. Additionally, there were only 
three requests (10 percent) for web hosting services, 
suggesting there is a substantial supply of providers 
available. Descriptions of the hosting services varied, 
depending on the amount of storage needed and their 
desired level of customer support. The price range for 
service was variable, ranging from 50 cents to $300, 
with an average of $48.89. Thus, hosting services could 
be obtained for a generally low price, depending on 
individual needs. 
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Sellers also indicated what content they would not 
host in their ads. In particular, child pornography and 
bestiality-related content were regularly viewed as un- 
acceptable. Hosting this sort of content may pose too 
much risk for a provider, since many countries have 
legislation and law enforcement initiatives to combat 
child pornography.** By contrast, malware was often 
cited as acceptable demonstrating the key intersection 
between malware and cybercrime service providers. 

There were also nine individuals offering domain 
name registration services in order to shield actor iden- 
tities from law enforcement and domain registration 
authorities. Since 90 percent of these ads were sales- 
related, there is a clear supply of providers within the 
market. In addition, seven individuals sold web do- 
mains comprising 37.5 percent of these services. Thus, 
there appears to be a solid support infrastructure in 
place to aid hackers in developing, hosting, and main- 
taining malicious web content. 

Hacking services comprised 14 percent of all ser- 
vice-related posts, and offered two primary forms 
of attack. The first was account-related, including 
obtaining passwords from email accounts, website 
log-in screens, and forums in a surreptitious fashion. 
Eleven ads appeared in this sample of threads, sug- 
gesting that there is a relatively high demand (45.5 
percent) for assistance with hacking. The second form 
involved compromising or attacking a specific target. 
There were 19 requests for compromise assistance 
with a similar distribution of buyers (52.6 percent) 
to sellers (47.4 percent). Specifically, 10 individuals 
requested assistance in obtaining access to different 
systems, ranging from hacking FTP servers to acquir- 
ing spam databases from specific websites. Nine users 
also advertised hacking services to order, including 
attacking Google Page Ranking systems or acquir- 
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ing passwords for email accounts. These ads did not 
provide any substantive information on pricing, mak- 
ing it difficult to determine price metrics. At the same 
time, the prevalence of requests and available service 
providers demonstrates that these forums engender 
individuals to engage in forms of cybercrime that may 
exceed their technical capabilities. 

A proportion of sellers also offered DDoS attack 
services for a fee. These services comprised 13 percent 
of the overall posts related to cybercrime services in 
these forums including 29 ads across four of the fo- 
rums (see Table 2-3 for detail). Sellers offered to flood 
a web server with requests, rendering them unable to 
complete the information exchange necessary to ful- 
fill user requests for content.*^ As a result, individuals 
are unable to access resources hosted on the server for 
the duration of the attack. DDoS providers regularly 
mentioned that their services were supported by bot- 
nets, as in an ad from one provider who noted "Large 
quantity of BOTS online, quantity grows every day. 
BOTs are located in different time belts [zones], which 
allows the DDoS to work 24 hours a day." All of the 
ads in this sample were sales-related, indicating that 
these providers have completely saturated the market 
and are readily accessible to interested parties. The av- 
erage cost for DDoS services was $14.26 per hour, in- 
dicating that this service is also relatively inexpensive. 

The final service identified in these forums offered 
access to proxy services and Virtual Private Networks 
(VPN). These resources conceal an individual's IP ad- 
dress and location, reducing the likelihood of detec- 
tion while one is engaging in attacks or malicious ac- 
tivity online by routing packet traffic from the user's 
system through IP addresses on a server.^*" The major- 
ity of ads for both proxy and VPN services were sales- 


38 


related (84 percent), suggesting there is a significant 
supply of these services within the malware market. 
The pricing for proxy services were often tiered based 
on the total number of proxies purchased, though the 
average cost of proxy services was $42.52. There was, 
however, too much missing data to calculate the cost 
of VPN services. Nevertheless, these findings suggest 
that tools to conceal an actor's location were readily 
accessible through these forums. 

Examining the Economics of Cybercrime. 

The cost metrics derived from these forums 
makes it possible to consider the economic gains in- 
dividuals may generate from the use of malware and 
cybercrime services. For instance, the significant num- 
ber of Trojan horses advertised calls into question the 
costs and benefits of obtaining malware for attack pur- 
poses. Using the average costs for tools, it is possible 
that an attacker may spend $755.80 to acquire a Trojan 
horse ($742.77) and encryption software ($13.03) to in- 
crease the likelihood of infection. If the attacker were 
to attempt to target victims randomly in order to es- 
tablish an infection, he or she may distribute infected 
files via spam email. If a proportion of unsuspecting 
recipients open the file, this may immediately create a 
series of infections with minimal effort. The average 
cost to obtain an email address from an existing data- 
base or send a message is .0001 cents. Thus, it would 
cost approximately .0002 cents to obtain and send a 
message to a single email address using the providers 
identified in these forums. At this rate, an individual 
would spend $20 to send out 100,000 spam messages. 
Adding this figure to the software costs increases the 
overall offender investment for a malware campaign 
to $775.80. 
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Comparing this figure against the loss to business 
and industry indicates that there is a significant dif- 
ference in the harm that a hacker can cause. The CSI 
report indicates that the cost of remediating a virus 
or worm infection is $40,141 per respondent.** Thus, 
the cost to a victimized business can be up to 53 times 
greater than the initial investment made by the offend- 
er. Simple destruction or infections do not, however, 
generate revenue for an attacker. Instead, they must 
obtain sensitive data through key-loggers or mass in- 
trusions into database information. These losses can 
be exponentially worse, as the average cost for the 
theft of proprietary data was $241,000 per respondent, 
and $268,000 for stolen customer or employee data.*^ 
Thus, the profit margin for malware acquisition can be 
substantial, depending on the quality and quantity of 
data acquired. 

Examining the cost of botnet establishment and 
mitigation reveals a similarly high profit margin. For 
example, if an individual pays the average cost of 
$322.27 to acquire botnet software, and an additional 
$200 to send out a million spam messages, his or her 
total investment is $522.27. Within corporate environ- 
ments, the average cost to mitigate and remove a bot- 
net infection was $345,600 per respondent.^" Using this 
metric, if a bot herder were able to establish 10 nodes 
across five companies, it is feasible that this might 
cause over $1.7 million dollars in damages. In addi- 
tion, he or she could regain the initial investment costs 
by leasing their bot infrastructure to engage in a single 
37-hour DDoS attack if he or she charged the average 
rate of $14.26 per hour. Alternatively, the bot herder 
would need to send out at least 5.2 million spam mes- 
sages through his or her infrastructure at .0001 cents 
per message to earn back the investment. 
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A similar rate of return can be found with iFrame 
campaigns. If an offender wanted to establish his or 
her own iFrame service over a 6-month period, the of- 
fender may have to acquire three resources. First, the 
offender may spend up to $450 to purchase the most 
expensive iFrame kit available in the market. Second, 
if the offender does not have the capacity to compro- 
mise and install the kit on a server, he or she may 
identify a third-party web-hosting service for the kit. 
In this scenario, the offender would pay an average 
of $48.89 to host the malware each month for a total 
of $293.34. In addition, a weekly spam campaign may 
prove useful in order to drive prospective victims to 
the website. In this scenario, the individual would 
have to spend $4,800 to send out one million spam 
messages each week at $200 over a 24-week period. In 
total, an offender using each of these services, includ- 
ing paying the maximum for an iFrame kit, would 
spend $5,543.34 over a 6-month period. 

If the attacker is successful and generating traffic, 
he or she may choose to lease out the infrastructure 
to generate a profit. Using the average cost metric for 
traffic sales at $110.84 per 1,000 infections, the offend- 
er would need to generate consistent traffic and infect 
at least 50,000 systems from mixed traffic to regain his 
or her initial investment. It is unclear from the posts 
and comments from sellers how long it takes to gen- 
erate such traffic, though the sheer number of traffic 
resellers suggests that it is possible to establish and 
maintain such an infrastructure over time. Thus, there 
appears to be some substantial return on investment 
for iFrame operators who are willing to make opera- 
tional expenditures in their infrastructure over time. 

Since malware requires time, money, and some 
skill to use properly, some offenders may opt to lease 
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services from providers in the market. For instance, 
the availabihty of DDoS services in the forum sug- 
gests that individuals may be interested in paying for 
an attack rather than creating and maintaining their 
own botnet. Since the average cost of DDoS services 
in these forums was $14.26 per hour, a botmaster may 
generate an estimated $342.24 per day for a 24-hour 
attack. It is also clear that lengthy attacks decrease 
productivity and increase financial harm for the tar- 
get. Thus, an offender may spend $1,026.72 for a 3-day 
attack based on a 72-hour rate at $14.26 per hour. This 
is most likely an overestimate, as DDoS providers of- 
fered discounted prices based on the length of an at- 
tack. Regardless, victims lost an average of $14,889.69 
from DDoS attacks in 2006.^^ This is a substantial 
impact that well exceeds the initial cost paid by 
the offender. 

A successful DDoS attack does not, however, gen- 
erate any observable economic gain for the individual 
who ordered the attack. As a consequence, it is neces- 
sary to consider how an individual may use a DDoS 
provider to generate a substantial profit. To that end, 
a number of hackers blackmail businesses by threat- 
ening to take their systems offline using DDoS at- 
tacks. Prospective targets often pay ransoms to avoid 
a loss of service or embarrassment over a prospective 
attack.^' In fact, CSI respondents paid an average of 
$824.74 to avoid or stop attacks in 2006. To that end, 
a botmaster or his or her prospective client could read- 
ily generate a profit by simply threatening to attack a 
company. It is unclear how long an attack would need 
to take place to ensure payment of a ransom, though 
if an offender had to pay for a 24- to 48-hour attack, 
he or she could still generate a profit of approximately 
$150 or more based on the average business cost. The 
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profit margin increases substantially if an attack ends 
within a matter of hours. Thus, blackmail may be an 
extremely useful way to utilize DDoS services. 

The same profit margins are evident in the use 
of spam providers. Since an individual attacker may 
spend approximately .0002 cents to obtain and send 
a message to a single email address, his initial invest- 
ment is quite small. The likelihood of successful re- 
sponses is equally low, since there are myriad security 
tools designed to filter or block spam messages from 
reaching the end user.^* Depending on the scheme 
employed, however, an attacker need only affect a 
small number of users in order to make a profit. For 
instance, advance fee fraud ("419 scams") is one of 
the most economically rewarding spam schemes. In 
these frauds, the sender poses as a banker, barrister, 
or wealthy heiress seeking assistance to move a large 
sum of money out of the country. The senders say they 
need the assistance of a trustworthy foreigner to help 
them complete this transaction due to various legal or 
familial issues. All that the victim needs to do is pro- 
vide his or her name, address, and banking informa- 
tion, and in return that person can retain a portion of 
the total dollar amount described.^'' 

Though it is unknown how many individuals 
who receive these messages actually respond to the 
fraudulent solicitation, estimates state that between 1 
and 3 percent of all recipients are victims. In addi- 
tion, data from the Internet Crime Complaint Center 
suggest that victims lose an average of $1,922.99 when 
participating in the scheme. With this in mind, if an 
offender spends $200 to send out one million advance 
fee fraud messages, he may receive an overly conser- 
vative response rate of .00005, or 50 recipients. Using 
the IC3 average dollar loss for this sort of scam, a cy- 
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bercriminal could earn $96,149.50 from these 50 re- 
spondents, which is 480 times their initial investment. 
Though these scams require a significant degree of 
human interaction with the victim and labor in order 
to be successful, the profit margin is still exceedingly 
high. Thus, spam distribution services are a key re- 
source in the larger marketplace for cybercrime, and 
its low price may reflect the difficulty in effectively 
targeting and ensuring a high rate of return from 
an investment. 

DISCUSSION AND CONCLUSIONS 

This monograph sought to explore the market for 
malicious software and cybercrime services in order 
to understand the price and availability of resources, 
as well as the relationship between the price paid for 
services and the cost experienced by victims of these 
crimes. The findings suggest that myriad tools and 
services are available and sold for profit in an open 
market environment that encourages and supports cy- 
bercrime.^' Individuals could procure spam, DDoS at- 
tack services, Trojan horses, iFrame exploit infections, 
web hosting, and various other resources at relatively 
low prices from the forums in this sample. Several of 
these services also depend on botnets for functional- 
ity, demonstrating the prominence of this malware 
in cybercrime. 

The pricing structure and observed supply and 
demand for different resources suggest that these 
markets have made it easier for individuals to engage 
in computer intrusions and attacks. Participants in 
these forums no longer need to cultivate high levels 
of skill and technological sophistication, since they 
could readily request assistance to compromise email 
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accounts or servers, and lease existing infrastructure 
created by more skilled actors. In fact, botmasters ap- 
pear to recognize the value of their infrastructure and 
offer services enabled by their infrastructure to gener- 
ate a profit. In turn, the marketplace appears to oper- 
ate largely as a service economy in which individuals 
can select from multiple providers based on price and 
customer service in order to complete an attack that 
may well exceed their overall level of knowledge. 

Examining the return on investment for engaging 
in various cybercrime schemes also suggests that at- 
tackers can generate a substantial profit or cause dam- 
age that far exceeds their initial investment. In fact, 
some of the least expensive products, such as spam 
distribution, may provide a massive gain for the indi- 
vidual attacker and a slight profit for the service pro- 
vider. In addition, individuals who own and operate 
bot and iFrame infrastructure may generate a substan- 
tial profit over time by leasing their services. Those 
who lease or pay fees for service may, however, have 
a reduced risk of detection from law enforcement 
because they do not actually compromise systems 
or have a significant relationship to the affected sys- 
tems. In addition, their profit margins may be slightly 
higher due to minimal labor and maintenance costs. 
Their limited skill set may diminish their overall earn- 
ing lifetime capacity, since they may never cultivate 
the necessary skills to create and complete their own 
intrusions and attacks. 

The findings of this exploratory analysis must be 
interpreted with caution due to the inherent limita- 
tions of the data. Specifically, the victimization sta- 
tistics used in this analysis have extremely limited 
generalizability and are most likely biased samples 
representing small proportions of the total population. 
In addition, the CSI reports indicate that less than a 
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third of all incidents that occur are reported to law en- 
forcement.^^ Thus, there is a critical need for increased 
reporting of cybercrime and improved measures for 
corporate and individual losses. The paucity of data in 
this area makes it difficult to understand or estimate 
the efficacy of cyber attacks and the overall economic 
gains made by offenders. Increased clarity in report- 
ing is vital to move criminological and information se- 
curity research beyond speculation, and to move case 
studies into quantifiable areas of loss calculation. In 
turn, one can better understand the economics of both 
attack and defense. 

Additionally, the data used for the forum analyses 
derive from publicly accessible forums that are over 3 
years old. The content of the data may be radically dif- 
ferent from the resources available in private forums, 
which require registration and membership vetting in 
order to access posts.*'^ In addition, the rapid changes 
in technology make it difficult to extrapolate these 
findings to the current resources that may be avail- 
able in the malware marketplace. Finally, this analy- 
sis used a small proportion of threads from multiple 
forums, which may limit the amount of malware and 
services observed. Thus, there is a need for greater re- 
search to understand the practices and content of mal- 
ware markets over time. Longitudinal research can 
provide insights into the shifts in available resources, 
and identify any declines or spikes in the price for a 
good or service. Such research can also identify new 
trends in malware and attack vectors, improving the 
response capabilities of law enforcement and security 
professionals. Future research should also develop 
comparative samples of threads from open and closed 
forums to consider variations in the products that can 
be acquired by those with greater penetration into 
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and status in the hacker community. In turn, this can 
substantially improve our understanding of the skill 
and ability present in the hacker community and its 
operational capabilities. 
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CHAPTER 3 


THE EMERGENCE OF THE 
CIVILIAN CYBER WARRIOR 

Max Kilger 

Note: The information in the chapter derives from 
a current study by the author and other researchers. 

INTRODUCTION 

The advantages gained from making a concerted 
effort to develop an understanding of an adversary 
are difficult to overstate. Whether the analysis occurs 
through a psychological, social-psychological, anthro- 
pological, or strictly sociological perspective, the abil- 
ity to "know your enemy" is a critical component of a 
comprehensive strategy to protect assets actively and 
proactively within critical infrastructures. While the 
deployment of defensive technical barriers, such as 
firewalls, intrusion detection systems, etc., are neces- 
sary actions to provide sufficient protection for digital 
networks that hold sensitive data or have supervisory 
control and data acquisition (SCAD A) functions, the 
ability to develop a taxonomy of the perpetrators' mo- 
tivations behind the vectors within the cyber-threat 
matrix can assist in making a more accurate assess- 
ment of the threat each type of actor presents to spe- 
cific elements within specific infrastructures. In addi- 
tion, developing a foundational understanding of the 
motivations of malicious online actors facilitates the 
ability to construct plausible future threat scenarios 
that may emerge in the near- to mid-term timeline. 
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This chapter will start by providing some basic 
background for a schema that outlines six hypoth- 
esized motivational factors to encourage malicious 
online behaviors. The focus of the discussion will 
then turn to one specific motivation and within that 
motivation, one specific archetype — the civilian cy- 
ber warrior — that poses perhaps the most significant 
emerging threat to domestic and foreign critical infra- 
structures. Finally, the chapter will conclude with an 
analysis of some preliminary data in an ongoing study 
that investigates some of the factors that may relate to 
this specific type of online malicious actor. 

THEORETICAL BACKGROUND 

Over the years, there have been a number of at- 
tempts to create taxonomies for malicious online ac- 
tors. Many of these taxonomies rely partially upon the 
factor of skill and expertise possessed by the actor in 
various operating system platforms, networking pro- 
tocols, digital hardware functionality, programming 
languages or shell scripting, or knowledge of specific 
system security strategies. These taxonomies also to 
some extent rely upon the type of target that the mali- 
cious actor specializes in. The Chiesa study utilized 
a combination of skill and target type as well as mo- 
tivational attributes such as political reasons, escape 
from family situations, and conflict with authority 
as taxonomy criteria for classifying malicious online 
actors.^ The Rogers study described two different di- 
mensions — skill level and motivation — to build a mul- 
ticlass taxonomy of hackers. His hacker class taxono- 
my includes classes of hackers such as petty thieves, 
old guard hackers, professional criminals and, more 
recently, political activists.^ In Cyber Adversary Charac- 
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terization: Auditing the Hacker Mind, Tom Parker, Eric 
Shaw, Ed Stroz, Mathew Devost, and Marcus Sachs 
place emphasis not only on the properties of the at- 
tacker, but their model also examines in detail other 
factors such as the perceived probability of success of 
attack, perceived probability of detection and, other 
attack-associated metrics.^ 

The classification schema in this chapter is one 
developed by this author, Ofir Arkman, and Jeff 
Stutzman.'' This schema — labeled MEECES^ — de- 
scribes six motivations for malicious online actors: 
Money, Ego, Entrance to social group. Cause, Enter- 
tainment, and Status. Money, of course, is the most 
obvious and self- explanatory motivation. The signifi- 
cant extent to which financial institutions have placed 
financial resources, such as checking, savings, credit 
lines, credit cards, and other components of the bank- 
ing system online, has put tremendous amounts of 
financial capital at potential risk. The vast potential 
for wealth that has been exposed to the Internet has 
attracted a plethora of malicious actors from a number 
of different backgrounds. In addition to the malicious 
actors who were already motivated by financial gain, 
the magnitude of the financial resources available 
has likely also tempted other skilled individuals who 
might otherwise not have been spurred to action by 
this motivation. 

Further, there are geo-economic factors at work 
here as well. Perhaps for the first time, individuals 
in countries where the standard of living is lower in 
comparison to first-world industrialized countries, the 
potential for finding gainful employment is uncertain, 
and, in some cases, the economic climate has forced 
highly educated individuals into underemployment, 
the allure of the possibility of gaining access to and 
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illegally acquiring significant sums of money is great. 
This has also led to the migration of more traditional 
organized crime members into the cyber environment. 
This infusion of sometimes technically unsophisti- 
cated criminals into cybercrime has also changed the 
dynamics of cybercrime gangs. 

This was not always the case. During the early 
years of the hacking community, individuals who 
used their technical skills for personal monetary gain 
were shunned by the rest of the community. It was 
considered a violation of the code of ethics for hack- 
ers to deploy their skills to steal money or financial 
resources. This norm violation is still in place today 
in the hacking community, but it has been substan- 
tially weakened by the increasing number of skilled 
individuals who utilize their expertise for unlawful fi- 
nancial gain as well as the influx of a more traditional 
criminal element. 

Ego is the second motivation in the schema.*' Ego 
motivates individuals through the feelings of accom- 
plishment that accompany overcoming a particularly 
difficult technical obstacle. Actions such as getting a 
hardware device to do something that was thought 
impossible, writing a complicated piece of code that 
intelligently adapts to situations, or bypassing a so- 
phisticated security system such as a firewall or intru- 
sion detection system are all examples of behaviors 
associated with the ego motivation. Note that the ac- 
tions do not necessarily have to be malicious in na- 
ture—even difficult obstacles that are overcome in the 
course of lawful employment relate to this motivation. 

The third motivation for malicious online acts is 
entrance to a social group. Hacking groups are more 
or less status-homogenous in terms of technical exper- 
tise.^ While there is likely a leader of the hacking group 
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who possesses somewhat higher levels of skill and ex- 
pertise, the majority of the individual group members 
have somewhat similar levels of technical proficiency, 
although it is likely that individuals are proficient in 
different areas, such as different operating systems or 
programming languages. This means that in order for 
an individual to join the group, that individual must 
possess levels of expertise similar to the members of 
the group he or she wishes to join. The key question 
is, how do prospective candidates demonstrate their 
level of expertise? It is almost certain that the mem- 
bers of the hacking group will not consider the word 
of the candidate at face value. One of the pathways 
in which the prospects can demonstrate their skills is 
writing an elegant piece of malicious code. Once writ- 
ten, the code goes to the hacking group, which in turn 
evaluates its function and programming aesthetic. If 
the group feels the code displays at least the minimum 
skill level necessary to belong to the group, it will ad- 
mit the candidate. The code itself is often given to the 
members of the group as a sort of "initiation fee." 

Cause is the fourth motivation for malicious online 
actors. Cause is defined as the use of technical exper- 
tise or skill in the pursuit of political, social, cultural, 
ideological, religious, or nationalistic goals.** Hacktiv- 
ism is one of the more common types of malicious 
online behavior. The most common hacktivism events 
often take the form of website defacements. Examples 
of hacktivism include the long-running attack by 
the group Anonymous on the Church of Scientology 
starting in 2008,^ attacks on Australian government 
websites by individuals upset by government plans 
to censor the Internet,^" and the continuing saga of 
the Wikileaks exposure of hundreds of thousands of 
classified documents." Cause may also take the form 
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of individuals launching a cyber attack against as- 
sets of a foreign country or even their own country 
in response to government actions that the individu- 
als find objectionable. This specific instance of cyber 
attacks motivated by cause defines the actions of the 
civilian cyber warrior. 

Entertainment is probably the least known and 
least common motivation for malicious online acts. Its 
origins probably emanate from the early beginnings 
of the hacker community. During these early days, 
humor often served a functional purpose in sharing 
common values by constructing humorous stories and 
tales that contained plays on technical terms and con- 
cepts. Humor also functioned as a mild form of social 
control — playing a humorous prank or joke on another 
hacker or system administrator often brought a bit of 
humility to the victim and returned a sense of balance 
to the social situation. Compromising a machine and 
leaving a humorous taunt directed at its system ad- 
ministrator for the lack of security controls at the com- 
promised machine was a not-too-uncommon event. 

Entertainment as a motivation for acts — malicious 
or not— appeared to decline for some time after the 
early years but has recently made a resurgence. This 
increase in incidences of the entertainment motiva- 
tion may be due in part to the preponderance of po- 
tential victims — the influx of less technical individu- 
als into the hacking community as well as the tidal 
wave of technically challenged people pouring onto 
the web has likely facilitated the popular return of 
this motivation. 

The final motivation is that of status. The hacking 
community can be described as a strong meritocracy.^^ 
The position of individuals in the status hierarchy of 
their hacking group depends upon the level of techni- 
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cal skills and expertise they possess relative to other 
members of the group. The higher the level of exper- 
tise, the higher the status of the individual is in that 
hacking group. Note that this positive relationship is 
also salient when an individual in one hacking group 
is compared to another hacker in the larger hacking 
community. The person with the higher level of skills 
possesses the relatively higher status. 

As was the case with the entrance to social group 
motivation, the validation of one's expertise and thus 
one's status within the hierarchy can be difficult to 
achieve. The difficulties in proving authorship of an 
elegant piece of code, especially to someone outside 
one's normal hacking group, make this avenue of vali- 
dation more problematic. One avenue that does appear 
to work is the acquisition of status through contests of 
skill, which often occurs at hacker conventions. Typi- 
cally these are some variation of "capture the flag" 
contests, in which the objective of the contest is to use 
your hacking skills and expertise to compromise com- 
puter systems in order to typically search out and find 
a catch phrase or encryption key — the possession of 
which provides evidence that the contestant possesses 
the requisite knowledge and skill to compromise the 
computer and acquire the flag. 

A similar exercise involving employment of ma- 
licious online acts in the wild can also lead to status 
acquisition and validation. One example of this is the 
acquisition of secret documents as a means to gain sta- 
tus. In this situation, one assumes that the secret docu- 
ments have such value that they are heavily protected 
by a number of sophisticated means often in some sort 
of defense in-depth configuration. In order to come 
into possession of electronic copies of these secret 
documents, the malicious actor must use a significant 
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amount of technical expertise and skill to break into 
the server without detection and exfiltrate copies of 
the secret documents. 

One interesting consequence of obtaining status 
this way is that in the end, status exists within the pos- 
session of the secret documents. That is, these docu- 
ments are status objects — they are items that in and of 
themselves impart status and have status. If the mali- 
cious actor publicizes or distributes the secret docu- 
ments to his or her friends, then that actor in effect 
expends the status value that these documents have. 
Once they become collectively owned, they lose their 
status value and, consequently, the malicious actor 
loses status at the same time. This is one reason why, 
perhaps, in the case of Wikileaks, the principal actor in 
the incident— Julian Assange— was loathe to disclose 
all of the documents at once because he would have 
expended all of their status value and would have 
subsequently lost most of the status that was associ- 
ated with their exclusive possession. 

THE EMERGENCE OF THE CIVILIAN 
CYBER WARRIOR 

The past few years have been witness to a signifi- 
cant focus on cyber-based threats. The realization of 
the vulnerability of the nation's critical infrastructures 
and the military to digitally based attacks has generat- 
ed a flurry of interest and activity both by parties with 
substantial interests in the area — such as governmen- 
tal entities carrying out national security directives — 
and within the military, where they deploy not only 
defensive strategies, but offensive strategies as well. 
The cyber arena has turned into the next battlefield. 
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The focus on the maUcious actors targeting criti- 
cal infrastructures in most of these scenarios has been 
directed at the elements of foreign nation-state intelli- 
gence organizations or military forces and previously 
identified foreign terrorist groups. What has often 
been lost in the rush to protect critical infrastructures 
from digital attack is the idea that isolated individuals 
or small groups of individuals are, to a great extent, an 
unseen emerging threat vector to the nation's critical 
infrastructure. 

What are the possible social dynamics behind 
this emerging threat? One central theme may be how 
technology is driving shifts in power relationships 
between nation-states and individuals. Foucault dis- 
cusses at length the relationship between knowledge 
and power." His argument might extend to the pow- 
er-knowledge relationship within the possession of 
expert knowledge of technical aspects of integral digi- 
tal control and communications systems embedded 
within national critical infrastructure. As Mathews ob- 
serves, "information technologies disrupt hierarchies, 
spreading power among more people and groups."^^ 

The key concept here is that perhaps for the first 
time in history, a regular civilian can effectively at- 
tack a nation-state — in this case through a cyber at- 
tack on some component of that nation-state's critical 
infrastructure. "Effective" in this sense means that 
the attack can cause significant widespread damage 
and has a reasonably high probability of success and a 
low probability of the perpetrator being apprehended. 
While some might argue that political assassination 
might already be an existing instance of this, the ques- 
tions surrounding the probability of success and cer- 
tainly around avoiding being apprehended make this 
less likely to be the case. 
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An example of how this shift in the balance of 
power between nation-state and individual may help 
the reader grasp the magnitude of the social-psycho- 
logical shifts in thinking. Imagine that you are a citi- 
zen of country A and the government of country B is 
the direct causal agent for some significant actions 
that negatively affect your homeland and its people. 
Prior to the emergence of the Internet, an individual 
might write a letter to the President of country B and 
tell him or her why they object to Country B's actions. 
What is the likely result? Probably nothing happens 
that changes the actions or consequences of country B. 

So this individual joins individuals who have simi- 
lar feelings and meet at the embassy of country B to 
protest. What is the likely outcome of this action? The 
individual is likely to be arrested or injured by the 
crowd or police action without it having any real effect 
on country B. As the next step in the escalation, this in- 
dividual cashes out his or her bank account and trav- 
els to country B, obtains some explosives and plots to 
damage a government building. Again, the outcome is 
likely not to be favorable. There is a reasonable chance 
that the individual will be detected by intelligence 
agents and/ or law enforcement and arrested before 
he or she has the opportunity to carry out the plan. 
Another possible outcome is that the individual ends 
up blowing him or herself up while preparing the ex- 
plosive device. Finally, even if the individual manages 
to execute the plot, he or she is likely to be arrested 
and, while the damage to the target might be signifi- 
cant, in an overall sense the nation-state and people of 
Country B are intact. 

This example just reinforces the idea that a cyber 
attack on a national asset is a much more attractive 
path, because it likely has significantly more favorable 
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outcomes to the malicious actor. If this is the case, then 
why haven't widespread incidents involving isolated 
individuals launching serious cyber attacks against 
national critical infrastructures occurred more often? 
Rogers suggests that it is because criminals have been 
"reluctant to cross certain ethical boundaries" that 
perhaps terrorists are willing to cross. A more likely 
reason is that this potential shift in the power relation- 
ship between individuals and the nation-state has just 
not reached cultural salience. As the salience of the 
shift in power balance diffuses into the more general 
population, in combination with the development and 
distribution adaptation of sophisticated cyber attack 
tools for less technical end users, the pool of potential 
malicious attackers who pose threats to online systems 
and critical infrastructures steadily grows. 

Eventually one may begin to see the consequences 
of this sequence of events; hence, the importance of 
understanding more about the potential emerging 
threat from the civilian cyber warrior. One of the first 
things that one might want to investigate in the chain 
of actions for a terrorist act is the initial starting point 
where individuals begin thinking about and rehears- 
ing in their minds the nature, method, and target for 
the terrorist attack. What does one know about the 
propensity of individuals in the more general popu- 
lation to contemplate a terrorist act? What would be 
the magnitude or severity of damage that someone 
might consider justified? There is a paucity of research 
focusing on this area, especially from a cyber attack 
perspective. The following analyses are some prelimi- 
nary results from a recent, ongoing study of severity 
predictors of an attack on a foreign country's critical 
infrastructure, and the severity levels of an attack di- 
rected at one's own homeland. 
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METHODOLOGY 


The following analyses use preliminary data col- 
lected from a study by Holt and Kilger.^^ The sample 
for this study comes from undergraduate and gradu- 
ate students at a large Midwestern U.S. university. 
Students received an email inviting them to partici- 
pate in the study; embedded within the email was a 
link to the online survey. A preliminary sample of 357 
students completed the survey for the purposes of this 
analysis. The survey itself consisted of: measures for 
the level of technical expertise; hours spent online; 
questions about previous history of ethical conduct 
using computers; nationalism; country considered to 
be one's homeland; out-group antagonism measures; 
demographics; and other relevant measures. 

The study design was a 2 x 2 factorial design. The 
first factor is type of attack— cyber or physical. One 
of the objectives of the study was to investigate the 
potential relationship between cyber and physical 
attacks on critical infrastructure. The second factor 
was the target country. The target country could be 
a nation-state that the respondent did not consider to 
be his or her country or homeland — that is, a foreign 
target. Alternatively, the target country could be a 
nation-state that the respondent stated was his or her 
homeland or own country — that is, a homeland target. 
The homeland target was felt to be especially relevant 
in gaining some understanding of which independent 
variables might be associated with an attack on one's 
own domestic critical infrastructure. The study design 
appears in Table 3-1. 
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Target of Attack 

Type of Attack 

Foreign Country 

Homeland 

Cyber 

Celll 

Cell 2 

Physical 

Cell 4 

Cells 


Table 3-1. Dependent Variable Design. 

The dependent variable was the severity of the 
attack that the respondent felt was appropriate for 
the individual scenario outlined in each of the four 
study cells. The scenario for a physical attack on a 
foreign country had the following instructions to 
the respondent: 

Imagine that the country of Bagaria has recently pro- 
moted national policies and taken physical actions 
that have had negative consequences to the country 
that you most closely associate as your home country 
or homeland. These policies and actions have also re- 
sulted in significant hardships for the people in your 
home country. What actions do you think would be 
appropriate for you to take against Bagaria given their 
policies and physical actions against your home coun- 
try? You may choose as many actions as you think the 
situation warrants. In this scenario, you may assume 
that you have the necessary skills to carry out any of 
the actions below. 


Following the instructions was a set of possible ac- 
tions the respondent could take. These actions were 
ordered from lowest severity — doing nothing — to 
the highest severity response — in this case, travel to 
Bagaria and damage a government building with an 
explosive device. There were eight categories in all. 
Note that respondents were instructed to assume that 
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they had the abiUties to carry out any of the responses. 
This was to ensure that they did not reject any category 
response because they felt they did not have the skills 
or logistics to carry out that action successfully. Also 
note that respondents were allowed to select more 
than one action. This conformed potential reactions to 
real-world situations in which multiple attacks might 
be contemplated as well as to provide for more layers 
of complexity within the dependent variable. 

The cyber attack scenario had similar instructions 
but, of course, had a different set of category respons- 
es available for the respondent to select. Here are the 
instructions for the second part of the foreign target 
country scenario: 

Aside from physical activity, what online activities 
do you think would be appropriate for you to take 
against Bagaria given their policies and physical ac- 
tions against your home country? You may choose as 
many actions as you think the situation warrants. In 
this scenario, you may assume that you have the nec- 
essary skills to carry out any of the actions below. 

There were nine possible response categories or- 
dered by level of severity, ranging from doing nothing 
to compromising a nuclear power plant with the sub- 
sequent release of a small amount of radiation. Again, 
respondents could assume they had the skills neces- 
sary to carry out the attack. They also could — as was 
the case for physical attack responses — select multiple 
attacks with differing levels of severity. 

The remaining two cells of the design involved 
retaliation against the respondent's home country in- 
frastructure (e.g., domestic terrorist attack) for actions 
that his or her homeland or home country had taken 
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against its own people. Here are the scenario instruc- 
tions for the physical homeland attack: 

Imagine that the country that you most closely associ- 
ate as your home country or homeland has recently 
promoted national policies and taken physical actions 
that have had negative consequences to your home 
country. These policies and actions have resulted in 
significant hardships for the people in your home 
country. What actions do you think would be appro- 
priate for you to take against your home country given 
their policies and physical actions? You may choose 
as many actions as you think the situation warrants. 
In this scenario, you may assume that you have the 
necessary skills to carry out any of the actions below. 


These instructions were followed by the same set 
of eight potential responses as found in the physical 
attack measure and ordered once again by severity 
from low to high. Similarly, the cyber attack scenario 
on the respondent's own homeland or home country 
had the following instructions: 

Aside from physical activity, what online activities 
do you think would be appropriate for you to take 
against your home country given their policies and 
physical actions? You may choose as many actions as 
you think the situation warrants. In this scenario, you 
may assume that you have the necessary skills to carry 
out any of the actions below. 

Again, these scenario instructions had the same set 
of cyber attack responses as was the case for the cyber 
attack against Bagaria's critical infrastructure. 

Because all of the respondents provided answers 
to each of the four scenarios, this study design fa- 
cilitated the examination of a number of important 
variations in the nature of the attack of an individual 


67 


on a nation-state as well as the potential relationship 
between the severity of potential cyber attacks and 
physical attacks. 

RESULTS AND DISCUSSION 

The results presented in this chapter are prelimi- 
nary, because of the fact that more data are being 
collected for the study. In addition, the authors of 
the study are still engaged in developing and testing 
a number of multivariate statistical models incorpo- 
rating a number of independent predictor variables 
available in the data. However, because of the unique 
nature of this study, some initial descriptive results 
and simple univariate tests will be reported here. 

First, an examination of the frequency distribu- 
tion for the dependent variables for each of the four 
cells in the study is useful. The response frequencies 
for a physical attack on a foreign country appear in 
Table 3-2. 


Action 

Percent Response 

Do nothing — let your country work it out on its own 

37.8% 

Write a letter to government of Bagaria protesting their actions 

53.6% 

Participate in a protest at an anti-Bagaria rally 

56.6% 

Travel to Bagaria and protest at their country's capitol building 

23.8% 

Travel to Bagaria and confront a Bagarian senior government of- 
ficial about their policies 

20.0% 

Travel to Bagaria and sneak into a military base to write slogans 
on buildings and vehicles 

1.3% 

Travel to Bagaria and physically damage an electrical power 
substation 

2.6% 

Travel to Bagaria and damage a government building with an 
explosive device 

0.9% 


Table 3-2. Physical Attack Frequencies on Foreign 
Country. 
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Fewer than 38 percent of respondents felt that do- 
ing nothing was an appropriate response to the sce- 
nario. The most popular responses appeared to be 
writing a letter (53.6 percent) or protesting at a rally 
against Bagaria (56.6 percent). Interestingly, a non- 
trivial percentage of respondents would consider 
traveling to Bagaria to participate in some sort of civil 
disobedience — either protesting in the capitol (23.8 
percent) or confronting a senior government official 
(20.0 percent). Finally, a small but nonetheless trou- 
bling number of respondents would consider sneak- 
ing onto a military base (1.3 percent), damaging a 
power station (2.6 percent), or damaging a Bagarian 
government building with an explosive device (0.9 
percent^^). Now compare this to the responses that 
an individual respondent would make in conducting 
a cyber attack against a nation-state. Table 3-3 below 
reveals the frequency distribution for a cyber attack 
on a foreign country. 

About 36 percent of the respondents indicated that 
doing nothing in terms of mounting a cyber attack 
against Bagaria was an acceptable response. Inter- 
estingly, over 75 percent of the respondents felt that 
posting a comment criticizing the Bagarian govern- 
ment was an appropriate response. This should not 
be surprising, given the involvement of a large pro- 
portion of the online population in social networks. 
It may also suggest that social networks may serve a 
functional purpose in providing a nondestructive way 
in which individuals can register their displeasure at a 
government or nation-state. 
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Action 

Percent Response 

Do nothing — let your country work it out on its own 

36.2% 

Post a comment on a social networking website like Facebook or 
Twitter that criticizes the Bagarian government 

75.3% 

Deface the personal website of an important Bagarian government 
official 

11.2% 

Deface an important official Bagarian government website 

10.2% 

Compromise the server of a Bagarian bank and withdraw money 
to give to the victims of their policies and actions 

5.1% 

Search Bagarian government servers for secret papers that you 
might be able to use to embarrass the Bagarian government 

8.5% 

Compromise one or more Bagarian military servers and make 
changes that might temporarily affect their military readiness 

6.4% 

Compromise one of Bagaria's regional power grids, which results 
in a temporary power blackout in parts of Bagaria 

2.6% 

Compromise a nuclear power plant system, which results in a 
small release of radioactivity in Bagaria 

0.4% 


Table 3-3. Cyber Attack Frequencies on 
Foreign Country. 

Moving up the severity scale in Table 3-3, a nontriv- 
ial number of respondents would engage in some sort 
of website defacement — 11.2 percent would deface the 
website of a specific government official, while 10.2 
percent would deface a more general Bagarian gov- 
ernment website. While website defacement generally 
is considered rather modest damage as far as cyber 
attacks go, it is still an illegal act and can cause signifi- 
cant embarrassment to the targeted government. 

The remaining response categories in Table 3-3 
are cyber attacks that are more serious in nature. A 
little over 5 percent of the respondents would attack a 
Bagarian financial institution and distribute the stolen 
funds to victims of the Bagarian government's actions. 
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In addition, about 8.5 percent of respondents would 
steal secret government documents to embarrass the 
Bagarian government a la the Wikileaks incident. 

Now looking at attacks that were more directly fo- 
cused upon a nation-state itself, about 6.4 percent of 
respondents would consider a cyber attack against a 
foreign country's military as an appropriate response 
to actions taken by that country. Finally, looking at 
cyber attacks that were more specifically focused 
on a country's critical infrastructure, 2.6 percent of 
respondents would consider an attack on another 
country's electrical grid as an appropriate response, 
while 0.4 percent of respondents would consider at- 
tacking a nuclear power plant in a foreign country 
as appropriate retaliation for acts committed by that 
foreign country. 

An initial examination of the severity of physical 
attacks and cyber attacks that respondents feel were 
appropriate to launch against a foreign country brings 
both good news and bad news to the table. On the one 
hand, the vast majority of respondents select only re- 
sponses that had minor or no consequences to the tar- 
geted foreign country. On the other hand, there are a 
nontrivial number of respondents who personally ad- 
vocated the use of physical and cyber attacks against 
a foreign country that would have some moderate to 
very serious consequences. While there is some com- 
fort to be had in the fact that expressing intentions to 
commit terrorist acts is only the first link in the be- 
havioral chain from ideation to the execution of an at- 
tack, and bearing in mind that this is a scenario-based 
situation, even a small incidence of individuals who 
would consider some of the most serious acts is trou- 
bling. This suggests that the emergence of the civilian 
cyber warrior (and perhaps the physical attack coun- 
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terpart) is an event that should be taken into account 
when developing policies and distributing resources 
across national priorities to protect national critical 
infrastructure. 

In contrast to the previous scenarios, in which feel- 
ings of nationalism may have played a substantial part 
in the motivation of individuals to react with more 
severe physical or cyber attack responses against a 
foreign nation-state, attacks against one's own coun- 
try go against many of these nationalistic sensibilities. 
Nonetheless, domestic terrorism has in recent years 
gained significant national attention, both in the press 
as well as within federal law enforcement agencies. 

The particular design of this study introduces an 
additional interesting but valuable complexity to this 
and future analyses. Approximately 10.4 percent of the 
respondents completing the survey identified them- 
selves as having a homeland that was not the United 
States. Therefore, the homeland that they referred to 
in these next two scenarios was not the United States 
but rather a foreign country. This means that it is pos- 
sible to make comparisons of attacks on the homeland 
when that homeland is the United States and when 
it is a foreign country. This may provide some addi- 
tional perspective on cross-cultural differences in the 
civilian cyber warrior phenomenon.^'' 

The first scenario is the one featuring a physical 
attack against one's own homeland. Table 3-4 displays 
the frequency distribution for the same response set 
that was used in the physical attack against a foreign 
country scenario discussed earlier. 
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Do nothing — let your country work it out on its own 

28.9% 

Write a letter to government of Bagaria protesting their actions 

68.9% 

Participate in a protest at an anti-Bagaria rally 

60.0% 

Travel to Bagaria and protest at their country's capitol building 

51.5% 

Travel to Bagaria and confront a Bagarian senior government of- 
ficial about their policies 

28.5% 

Travel to Bagaria and sneak into a military base to write slogans 
on buildings and vehicles 

2.1% 

Travel to Bagaria and physically damage an electrical power 
substation 

1.7% 

Travel to Bagaria and damage a government building with an 
explosive device 

0.9% 

Compromise a nuclear power plant system, which results in a 
small release of radioactivity in Bagaria 

0.4% 


Table 3-4. Physical Attack Frequencies 
on Homeland. 

Approximately 28.9 percent of respondents stated 
that doing nothing to their homeland was an appro- 
priate response. Interestingly, this percentage was 
substantially smaller than that found in the foreign 
country example (37.8 percent). Perhaps one reason 
this is the case is because of the potency of negative 
feelings that an individual feels when one's own coun- 
try commits acts against its own citizens. 

Following that pattern, substantially more re- 
spondents selected writing a letter (68.9 percent) or 
attending a protest rally (60.0 percent) against their 
own country than was the case when the offending 
nation-state was a foreign country. Similarly, more 
people were willing to travel to their own capitol city 
and either protest (51.5 percent) or confront their own 
government official (28.5 percent) than in the foreign 
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country physical attack scenario. Vandalizing the mil- 
itary property belonging to one's own armed forces 
had an incidence of 2.1 percent, while attacking one's 
own national critical infrastructure had incidence rates 
of 1.7 percent for an attack on the power grid and 0.9 
percent for an attack on a nuclear plant. A comparison 
of these last three attack responses between the for- 
eign country as target and the homeland as target did 
not appear to reveal a consistent pattern, as was the 
case for other scenarios. 

The final scenario involved cyber attacks against 
one's own country or homeland. The frequency distri- 
bution for this scenario appears in Table 3-5. 

Almost 36 percent of respondents felt that doing 
nothing was an appropriate response when consider- 
ing a cyber attack on their homeland. Again, about 75 
percent of respondents would post a critical comment 
about their own country on a social network — very 
similar to the foreign country cyber attack scenario. 
Defacing the website of a specific government official 
in their own government received a 12.8 percent re- 
sponse, while defacing a more general government 
website was chosen by 11.5 percent of respondents as 
an appropriate response. Approximately 4.3 percent 
of respondents would extract funds from a bank based 
in their own country to distribute to the victims of ag- 
gressive action on the part of their own homeland. 
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Action 

Percent Response 

Do nothing — let your country work it out on its own 

35.7% 

Post a comment on a social networking website like Facebook or 
Twitter that criticizes your home country's government 

75.3% 

Deface the personal website of an important government official 
for your home country 


country 

1 1 50/^ 

Compromise the server of a bank and withdraw money to give to 

4.3% 

Search your home country's government servers for secret pa- 
pers that you might be able to use to embarrass the government 

8.9% 

Compromise one or more of your home country's military servers 
and make changes that might temporarily affect their military 
readiness 

4.7% 

Compromise one of your home country's regional power grids, 
which results in a temporary power blackout in parts of your 
home country 

1.7% 

Compromise a nuclear power plant system, which results in a 
small release of radioactivity in your home country 

0.9% 


Table 3-5. Cyber Attack Frequencies on Homeland. 

A surprising 8.9 percent would consider actions akin 
to a Wikileaks event, in which they would attempt 
to exfiltrate copies of secret documents in order to 
embarrass their own government. Almost 5 percent 
would use a cyber attack to reduce the readiness of 
their own military forces. A little over 1.7 percent of 
respondents would attack their own national power 
grid, while just 0.9 percent suggested that attacking a 
nuclear power plant in their own country would be an 
appropriate response. 

When one compares the homeland cyber at- 
tack distribution to the foreign country cyber attack 
scenario distribution, it seems that they are more 
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similar in shape than the two physical attack sce- 
nario distributions. It is unclear why this might be 
the case; perhaps it is due to the fact that the physi- 
cal attacks require actual travel for some of the for- 
eign country responses, and that may involve more 
risk than the cyber attacks in which it does not mat- 
ter where the attacking individual is geograph- 
ically located. 

Now that we have an idea of the frequency distri- 
bution of the variables of interest, some simple, initial 
univariate analyses may prove useful here. One of the 
obvious questions concerns the hypothesis that there 
might be some difference between the severity levels 
of an attack based on whether the target was a foreign 
country or someone's own homeland. Controlling for 
the type of attack facilitates the analysis, because the 
response scales involved in the comparison are identi- 
cal. For these and subsequent analyses, given the mul- 
tiple response nature of the response variables, one 
should utilize the maximum severity response as the 
indicator of the severity of the response chosen by the 
respondent. That is, the study will use the most severe 
response of all the responses the respondent selects 
for a particular scenario. A simple parametric depen- 
dent sample paired t-test can be employed for these 
comparisons. Severity scores range from one to eight 
for physical attack responses and from one to nine for 
cyber attacks, with the highest value being the most 
severe response. 

If you compare target countries — foreign country 
versus homeland — the first thing to notice in table 
3-6 is that all the means have reasonably small val- 
ues in comparison with the range of the scale. This is 
the result of most of the respondents selecting attack 
responses that were modest in their level of severity. 
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If there is some silver lining in this cloud, it is the fact 
that most of the respondents selected either no ac- 
tion or actions that had modest consequences. One 
would not want to live in a world where the results re- 
vealed variables near the top of the scale; however, in 
some less robust countries, this generalization might 
be false. 


Comparison 

Mean Severity 

T 

Df 

Sig (2-tail) 

Cyber Foreign 

1.62 

.57 

356 

.569 

Cyber Homeland 

1.60 









Physical Foreign 

2.94 

-7.80 

356 

<.001 

Physical Homeland 

3.46 





Table 3-6. Foreign Versus Homeland Target. 

Interestingly, there is no evidence supporting a 
difference in mean attack severity between foreign 
and homeland targets for the cyber attack scenarios. 
If nationalistic factors were involved here, one would 
expect a more severe attack directed toward the for- 
eign country. Perhaps the fact that one can launch this 
kind of attack without ever being physically close to 
the target may have some effect, which attenuated an 
individual's propensity to launch a more severe attack 
on one type of target than the other. 

Examining the mean differences for the physical 
attack scenario, a statistically significant difference 
is detected — it appears that respondents selected a 
more severe level of attack for their own homeland 
than they would for a foreign country. Certainly, it is 


77 


not traditional nationalistic factors at work here. One 
possible reason for this might be the strong reaction 
from individuals to a government whose actions hurt 
their own people. One might think of this as a type 
of nationalism turned "inside out." One of the basic 
functions of government is to obtain and maintain the 
security and safety of its people. Governments violate 
a very strong cultural norm when they intentionally 
hurt the very individuals they should protect. 

Finally, given that skill plays an important role in 
the strong meritocracy of the hacking community, this 
suggests that there might be a positive relationship 
between the severity of an attack on a nation-state's 
infrastructure and the skills of the individual select- 
ing the type of attack. A principle components factor 
analysis was performed on eight measures of comput- 
er skills, such as installing an operating system or han- 
dling security issues, to produce a factor score-based 
variable that represents claimed technical skills by the 
respondent. 

A quick look at Table 3.7 reveals that there are 
weak but statistically significant positive correlations 
between the skill factor variable and attack severity 
across all four attack scenarios. This suggests, as one 
might expect, a positive correlation between cyber at- 
tack severity and skill level for an individual. What 
is more surprising is that these correlations also exist 
between technical skills and physical attack severity. 
In addition, these weak but detectable correlations 
persist across both homeland and foreign country tar- 
gets. Although caution must be taken because these 
are preliminary data, this finding may suggest that 
individuals with technical skills may pose multidi- 
mensional threats to critical infrastructure elements. It 
also suggests that there could be some crossover in the 
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mode of attack for individuals. This may be especial- 
ly enlightening in the scenario in which individuals 
whose traditional mode of attack is cyber-based might 
transition to either a blend of cyber and physical at- 
tack or eventually migrate to a strictly physical attack. 


Scenario 

Pearsons r 

Sig(l-tail) 

Physical Foreign 

0.096* 

0.030 

Physical Homeland 

0.118* 

0.013 

Cyber Foreign 

0.100* 

0.030 

Cyber Homeland 

0.109* 

0.020 


Table 3-7. Correlations between Skill Factor and 
Attack Severity. 

CONCLUSION 

Hopefully, this discussion has addressed several 
objectives. First, it has given the reader a basic funda- 
mental understanding of motivations associated with 
actors who perpetrate malicious online behaviors — 
knowing your enemy can be a key element in gaining 
a comprehensive perspective on attacks against online 
targets. A second objective of the study is to identify 
specific instances of the civilian cyber warrior as a po- 
tentially more serious threat to critical infrastructure. 
Finally, some simple and initial analyses on prelimi- 
nary data from a recent study have provided some 
empirical data that can be useful in guiding further 
investigation.^" 

Future analyses involving multivariate analyses 
of the civilian cyber warrior used in this chapter are 
already underway, and very preliminary results sug- 
gest that some of the independent predictor variables 
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have statistically significant relationships to attack 
severity. Hopefully, this research will encourage oth- 
ers to pursue similar areas of investigation with the 
objective of better predicting the level of threat that 
the nation's critical infrastructure faces. 
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PART II: 
LAW AND CYBERCRIME 


CHAPTER 4 


CHANGING THE GAME: 
SOCIAL AND JUSTICE MODELS 
FOR ENHANCED CYBER SECURITY 

Michael M. Losavio 
J. Eagle Shutt 
Deborah Wilson Keeling 

Thanks to the City College of New York, Grove 
School of Engineering, the Strategic Studies Insti- 
tute of the U.S. Army War College and the 2009 Cy- 
ber Infrastructure Protection Conference, and Oak 
Ridge National Laboratory and its Cyberspace Sci- 
ences and Information Intelligence Research (CSIIR) 
Group and CSIIR Workshop 2010 for helping develop 
these themes. 

INTRODUCTION 

To change the game in cyber security, we should 
consider criminal justice and social education models 
to secure the highly distributed elements of the infor- 
mation network, extend the effective administration 
of justice to cybercrime, and embed security aware- 
ness and competence in engineering and common 
computer practice. This chapter examines models of 
such behavior. 

A broad approach is needed, since no single group 
of agencies can combat cybercrime alone.^ The ap- 
proach to cyber security and cybercrime must change 
and expand. Traditional models for combating inter- 
nal and transnational threats can assist with cyber se- 
curity, even as information networks have expanded 
the risks to information security. 
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Physical security itself is insufficient, when an 
inmate in a correctional facility can crack the network 
from within the jail.^ Information control via ever- 
smaller handheld devices is increasingly difficult. 
For example, almost 53 percent of inmates in one 
state's correctional facilities misused electronics.^ 
See Figure 4-1. 


I Misuse in 
Facility 


Source: Proceedings of IEEE Workshop on Systematic 
Approaches to Digital Forensics Engineering, 2010. 

Figure 4-1. Percentage of Respondents Who 
Experienced Computer Misuse in Their 
Correctional Facilities. 

Although the nation's homes may be castles, pro- 
tected as no other space in American civil society is, 
that may not be true in regard to cyber security. As the 
2003 National Strategy to Secure Cyberspace observed, 
these houses may offer targets of choice as sources 
of gain and tools for attack.* The Internet puts the 
criminals and terrorists worldwide at our electronic 
doorstep, magnifying the risks and problems in ad- 
dressing these information security problems. Cyber 
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security must address how to achieve security in such 
a disparate, target-rich environment as that of world- 
wide computing. 

The National Cyber Leap Year Co-Chairs Report ad- 
dressed the need for "game changing" approaches.^ 
One novel approach used "Cyber Economics" for 
developing a market-type engagement in cyber se- 
curity issues. This approach proposed four economic 
strategies for examination via research and policy 
implementation for "game-changing" solutions in 
cyber security: 

1. Mitigating Incomplete Information: Mitigate 
incomplete and asymmetric information barriers that 
hamper efficient security decisionmaking at the indi- 
vidual and organizational levels. 

2. Incentives and Liabilities: Leverage incentives 
and impose or redistribute liabilities to promote 
secure behavior and decisionmaking among 
stakeholders. 

3. Reduction of Attackers' Profitability: Promote 
legal, technical, and social changes that reduce attack- 
ers' revenues or increase their costs, thus lowering the 
overall profitability (and attractiveness) of cybercrime. 

4. Market Enforceability: Ensure that proposed 
changes are enforceable with market mechanisms.^ 

Incentives and new liabilities would include ex- 
panded vendor, Internet service provider (ISP), regis- 
trar and registry accountability, liability, and rewards 
for protective conduct, or the lack thereof (emphasis 
added). The report further notes that cyber security 
metrics are "poorly investigated," in that there is no 
accepted foundation for: (1) the information to collect; 
(2) the use of such information; and, (3) the weight of 
such information as to elements of uncertainty, inac- 
curacy, and error in its collection.^ 
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Similarly, there are challenges to the orthodoxy of 
security engineering education that contend certain 
"myths" about security, such as the sufficiency of 
purely technical solutions and defense-in-depth strat- 
egies. These myths impede the creation of effective 
cyber security systems.** 

CRIMINAL JUSTICE MODELS 

The Application of Criminal Justice Models 
to Cyber Security. 

In 2000, the Strategic Studies Institute (SSI) of the 
U.S. Army War College (USAWC) published a discus- 
sion on how criminal justice models might integrate 
into cyber security systems.'' The techniques and re- 
sources of state and local law enforcement and crimi- 
nal justice entities could fit within national response. 
This seems appropriate, as communication networks 
have blurred national boundaries. The discussion also 
addresses the risks such an enmeshed world would 
create to civil society and its liberties, in which re- 
sponses to attack risk "profound constitutional and 
security challenges" for the United States.^" 

Safety and security require more than technical 
protections and police response. They need a critical 
blend of those elements with individual practice and 
social norms. Social norms matched with formal insti- 
tutions enhance public safety; this also holds true in 
the cyber realm. 

Informal and formal modes of controlling and 
limiting deviant behavior are essential for effective 
security." Laws, procedures, and criminal justice 
agencies are all modes of formal social control. At- 
titudes, values, and actions of individuals represent 
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potentially powerful informal modes. A community 
with a high degree of both modes will have a strong 
overall level of social control. These efforts must be 
incentivized and empowered at all levels. Where there 
is consonance in these two modes, there will be the 
greatest security. 

Examples: Routine Activity Theory/Opportunity Theory 
and Displacement Theory. 

This study suggests that the routine activity the- 
ory/opportunity theory and displacement theory — 
frameworks for analyzing crime in communities — are 
ways to conceptualize and pattern the benefits of in- 
formal social control on cyber security. 

Routine activities theory (RAT) posits that each of 
three elements contributes to a heightened or lessened 
risk: a suitable target, a lack of guardianship, and a 
motivated offender. The absence of one of these ele- 
ments reduces the risk of misconduct, whereas their 
convergence increases it. For cyber security, the analy- 
sis should equally consider the availability of suitable 
targets, a presence or lack of suitable guardians, and 
an increase or decrease in the number of motivated 
offenders, particularly those seeking financial gain or 
state advantages. 

Changes in attitudes among those who use these 
cyber systems can increase suitable guardians and 
reduce suitable targets, thereby changing the risk 
equation. This is a vital part of informal social control 
that must develop with and without technical supple- 
ments. There is no technical "patch" for ignorance.^'' 

The overall power of social control is a function of 
both formal and informal controls.^^ Laws, public poli- 
cies, and law enforcement exemplify elements of for- 
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mal social control, whereas community attitudes and 
norms exemplify informal control. While both spheres 
can impede crime, states with the greatest levels of 
control will have high degrees of both formal and in- 
formal social control. 

In cyber security contexts, high levels of informal 
social control are essential to deter cyber attacks, par- 
ticularly since attackers exploit the anonymity and 
distance-collapsing features of cyberspace as vectors 
for attack. For example, open source software prac- 
tices have led to questions regarding cyber security. 
Yet, this software represents a collaborative social net- 
work that self-organizes and grows as a preferentially 
attached network.^^ Such preferential attachment to 
cyber security can promote a distributed security re- 
gime through commitments to competent and suit- 
able guardianship of the nodes and network around 
the subject code project. 

Online social networks suggest opportunities for 
the examination of RAT-based security promotion. 
Facebook, MySpace, and Livejournal are all online so- 
cial networks that promote cyber security both within 
and outside their domains. The observation, report- 
ing, and notice/ alert possibilities of network members 
who are competent and committed to security and 
protection can expand the guardianship network for 
anomalous behavior; they may also serve to reduce 
target vulnerability directly. 

The information social network for the open source 
encyclopedia, Wikipedia, is another example of a com- 
munity of guardians that has been successful in secur- 
ing the information it presents. It may also serve as an 
example of risks due to its uncertainty of information 
assurance in topic areas lacking extensive guardian 
participation. The possibilities of such social networks 
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for enhancing cyber security are significant, if real- 
ized. Alan Mislove, Massimiliano Marcon, Krishna 
Gummadi, Peter Druschel, and Bobby Bhattacharjee 
found that online social networks have small-world 
and scale-free properties based on power-law; these 
would indicate potential for the expansion of a guard- 
ian security regime. Others contend that though 
some aspects of RAT can apply to criminal activity in- 
volving computing systems, there are key differences 
that limit the utility of the model. The collapse of the 
social network may degrade the security of informa- 
tion.^^ There must be vigilance in seemingly normal 
activity used to mask an attack.^" 

Consider M. Felson and R. V. Clarke's 10 principles 
of crime opportunity theory:^^ 


1 . Opportunities play a role in causing all crime. 

2. Crime opportunities are highly specific. 

3. Crime opportunities are concentrated in time and space. 

4. Crime opportunities depend on everyday movements of activity. 

5. One crime produces opportunities for another. 

6. Some products offer more tempting crime opportunities. 

7. Social and technological changes produce new crime opportunities. 

8. Crime can be prevented by reducing opportunities. 

9. Reducing opportunities does not usually displace crime. 

10. Focused opportunity reduction can produce wider declines in 
crime. 


Figure 4-2. Ten Principles of Opportunity 
and Crime. 

These principles may be mapped to a variety of 
technical and nontechnical factors that enhance or di- 
minish cyber security. Identifying opportunities and 
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mitigating them are a major focus of information se- 
curity research in finding technical vulnerabilities of 
systems. These vulnerabilities are specific and limited 
to the user space of a specific system, particularly 
those of typical system use. Once an exploit is found 
and used, its use will be replicated in other situations. 
Mitigation of these exploits may be both technical and 
nontechnical. 

Certainly the expansion of social conduct into the 
online world has produced new crime opportunities 
within technology. As in other situations of expand- 
ing crime and social deviancy, the application to re- 
duce these opportunities can have a beneficial effect 
in reducing cybercrime. Technical solutions certainly 
help, just as strong doors and locks help, but other fac- 
tors, such as personal vigilance for self and neighbors 
and assured punitive response, can help as much or 
even more. These measures accord with the solution 
features suggested in the National Cyber Leap Year 
Co-chairs Report?^ 

Another application of criminological principles 
to cyber security relates to the use of criminal pro- 
filing and behavioral analysis.^^ The reactive use of 
these techniques, much like the use of technical digi- 
tal forensics in network settings, serves to focus an 
investigation and response in particular areas and on 
particular individuals. This, in some cases, may be as 
limited as the method of operation {modus operandi, or 
"MO") of a particular miscreant. But the reactive use 
goes beyond this to distinctive behaviors of individu- 
als that are a priori and may lead to the use of particu- 
lar operational methods or tools. 

Proactive use of profiling deters, or prevents, 
crimes such as drug courier profiling. Frank Greitzer, 
Deborah Frincke, and Mariah Zabrieski discuss this in 
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relation to the application of traditional security tech- 
niques to the identification of insider cyber security 
threats. The set of circumstances that have been as- 
sociated with motives or disinhibitions leading to in- 
sider criminal activity, such as fraud or violence, may 
also match with insider cyber security breaches. The 
researchers note that, "Assessing ability, opportunity, 
and motivation is a primary decisionmaking task un- 
derlying the threat analysis. "^^ These factors may then 
map to information and network metrics as part of an 
enhanced alert for potential or actual threats to infor- 
mation security. 

J. L. Krofcheck and M. G. Gelles,^*' note these non- 
technical life factors and characteristics as risk indica- 
tors for insider cyber security threats: 

• Non-U.S. citizen, 

• Major life change, 

• Access to classified information, 

• System administrator rights, 

• High level of computer skills and 
knowledge, 

• Intermittent work history, 

• Family/ marriage issues, 

• Legal issues, 

• Credit/ debt problems, 

• Past or current arrest/ criminal activity, and 

• Strong interest in Blackhat community. 

In turn, these indicators also present ethical and 
administrative issues with this security analysis, cre- 
ating possible problems due to the possible invasion 
of privacy, and false suspicions that undermine both 
the reputations and morale of staff. 

But there is the risk of creating hyper-romantic 
myths of profiling effectiveness. No profile alone has 
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led to an arrest; rather, it is a directive tool of investi- 
gation that may be most effective when pychopatholo- 
gies are present.^^ 

SOCIAL AND EDUCATION MODELS 

Cyber Security Awareness through Teaching 
Community Engagement. 

Opportunities for invasion are reduced when a 
system user recognizes the risks and personally miti- 
gates them. This could be as simple as not opening an 
email attachment from an unknown correspondent or 
permitting an unknown program permission to run. 
Such security could be achieved through the engage- 
ment of computer engineering students to broaden 
their understanding of their responsibilities to both 
the profession and to the public. 

As with community safety relating to violent crime, 
cyber security requires effort and engagement, includ- 
ing general computing competence. But, there is little 
formal training in this area for the general public who 
are the most at risk. A model for such an engagement 
that would provide this training and awareness ap- 
pears below. 

The National Science Foundation-funded effort 
produced the Information Assurance and Security Eth- 
ics in Complex Systems: Interdisciplinary Perspectives, 
to demonstrate the value of an interdisciplinary ap- 
proach to cyber security development. This approach 
compiles many different and highly novel perspec- 
tives on information security and assurance, and en- 
compasses a broader review of the consequences of 
failure than is traditionally addressed. 
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This collection begins with the challenge of how 
people view any problem and the natural tendency 
toward self-reference in framing issues. This may be 
quickly placed in the cyber security space, with com- 
puter engineering students directed to identify threats 
and responses. Through use of chapters dealing with 
"Social/ Ethical Issues in Predictive Insider Threat 
Monitoring," "Peer-to-Peer Networks: Interdisciplin- 
ary Challenges for Interconnected Systems," and 
"Responsibility for the Harm and Risk of Software 
Security Flaws," students may then understand the 
greater complexity they face in security solutions as 
well as the legal and ethical consequences of failure 
in cyber security. Through their novelty, these per- 
spectives push students to uncomfortable discussions 
that, in turn, may lead to better understanding of the 
challenges faced in order to achieve effective cyber se- 
curity. These difficult discussions need to take place 
if there is to be effective security for our information 
and people. 

Extending this information beyond the classroom 
becomes the next challenge. 

An Information Security Model. 

One model for expanding the discussion into real- 
life application implements the use of computer en- 
gineering students to handle community projects re- 
lating to cyber security. The Department of Computer 
Engineering and Computer Science at the University 
of Louisville introduced a community engagement/ 
community-based learning/service learning compo- 
nent to its 500-level course on information security 
in the summer of 2009. This course, in addition to ex- 
amining engineering, technical, and scientific founda- 
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tions of data security, addressed issues relating to the 
administrative and practical implementation of secure 
computing practices. The community engagement/ 
service learning component required the students to 
examine user responsibilities and their computer re- 
lated needs. The students also implement a program 
to teach non-expert computer users safe and secure 
computing practices. This, in turn, allowed them to 
examine the foundations essential to information se- 
curity and how to teach and communicate with oth- 
ers. The University of Louisville Engineering School 
has an extensive cooperative education program re- 
quiring students to work in industry. This community 
engagement/ service learning component, however, 
requires the students to examine the interaction of 
computing systems with typical, non-expert users. 

Service learning and community engagement com- 
ponents in 2009-10 courses on Information Security 
were directed at "authentic" issues of secure broad 
community deployment, the use of broadband servic- 
es, the security of existing personal and small business 
systems, and user training. In addition to laboratory 
and design work, students created and implemented 
a detailed, low-level training program to community 
groups on user risk, conduct, and responsibilities re- 
lated to online security. Training was administered 
in single presentations to various age groups ranging 
from elderly and retired individuals to elementary 
school students, with a focus on low-income com- 
munities. The following year, this program evolved 
into small group/ one-on-one sessions with the 
targeted users. 
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Data Analysis and Outcomes for Students. 

An assessment of student learning outcomes re- 
vealed that through the service learning/ commu- 
nity engagement component, students had enhanced 
learning related to issues of information security. Of 
the respondents, 66 percent agreed that the engage- 
ment component, "... helped me either connect what I 
learned to real-life situations or contributed to knowl- 
edge in the discipline." Three-fourths agreed that it, 
"... provided me an opportunity to apply skills and 
knowledge I have gained from my major courses." The 
2009 community presentation on information security 
scored well when compared with other components 
in connecting learning to real-life problems, as shown 
in Figure 4-3. 
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Figure 4-3. Effectiveness in Connecting Learning 
to Real-Life Problems. 
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The program allowed students to address authen- 
tic issues in the discipline of Information Security, as 
detailed in Figure 4-4, with nearly three times as many 
students finding the community engagement compo- 
nent connected them to an authentic experience with- 
in their discipline as compared with the system design 
or laboratory components. 
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Figure 4-4. Application of Skills and Knowledge 
from Major Courses. 

This indicates value in such teaching and learning 
components for the students themselves. 

The benefit and improvement in cyber security by 
those in the community receiving the training was 
studied in 2010 via surveys of the several site super- 
visors. Those surveys similarly indicated positive ex- 
periences with the training. The respondents agreed 
that the presentations covered new information on 
security for their target groups and improved the safe 
practices of those using computers. 
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The response from the site supervisor for the se- 
nior citizens residential facihty provided anecdotal 
comments that indicated additional concerns about 
both a desire to access online services and a need 
for fundamental skills. These comments, from indi- 
viduals ranging from 67 years of age to 88 years of 
age, noted: 

• I want to get online when I learn the basics of 
how to use a computer. Seniors are unable to 
help other seniors. They do not have the pa- 
tience or skills to explain things to other seniors. 
Every time you turn around, you need to have 
a computer. You can't enter a contest or shop 
online. If you want to learn more about a par- 
ticular news story, they tell you to go online. 
Many free discount coupons are only available 
online. 

• All my family has computers, and they talk 
back and forth to each other. I would love to be 
with them. 

• Keyboard would be difficult, but I would love 
to do family history research. 

• The students made my computer faster, much 
faster. We did not get into a discussion about 
security (the main concern was about medical 
information). 

• I never order anything on the computer. I have 
heard too many stories of persons losing every- 
thing by giving out credit information. 

• Students helped with setting up my games. I 
still have pop ups and must restart the games. 

These responses demonstrate both the need and 
desire for skills in secure, competent computing. The 
program offers a way to distribute security awareness 
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and skills that meet the requirements of criminal jus- 
tice theory and provide learning objectives within the 
discipline of computer engineering. 

The National Collegiate Cyber Defense 
Competition. 

The National Collegiate Cyber Defense Competi- 
tion brings together students from universities who 
compete regionally and then nationally to protect 
computer systems from cyber attacks. Lieutenant 
General Harry Raduege, Jr. (USAF, Ret.), chairman 
of the Deloitte Center for Cyber Innovation and co- 
chairman of the Commission on Cyber Security for the 
44th presidency, has noted, "These exercises are vital 
training for people who will be safeguarding the na- 
tion's systems and infrastructure."^" 

To prepare for the computer attacks of the future, 
the competing students must successfully defend 
their computer network against hostile attacks while 
maintaining operations in regional and national com- 
petition. Attacks against their systems are conducted 
by penetration testers from the industry. 

This is an intensive laboratory experience for the 
next generation of cyber defenders. It is another ex- 
ample of a social/education model for developing 
cyber security skills across the operational spectrum 
in an environment close to the real world, with all the 
complexities, ambiguities, and stresses it entails. 

FUTURE DIRECTIONS 

Areas of study and testing in expanding cyber 
security are recommended. This must move from 
concept to pilot models that one can measure for ef- 
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fectiveness. In the limited examples described here, 
data on the effectiveness of the training systems are 
one area that requires further study to establish firmly 
the benefit of this model. The testing and data on pi- 
lot projects is the next step to enhancing guardianship 
roles and hardening targets. For example, the Cyber 
Clean Center project of the Japanese Computer Emer- 
gency Response Team Coordination Center is a cross- 
disciplinary collaboration between JP-CERT, Trend 
Micro, ISPs, and various security vendors — the goal of 
which is to create a guardian network against botnet 
compromise and exploitation. 

Participating ISPs operate decoy honeypot ma- 
chines on their networks that serve as sensors for 
botnet activity. They log the Internet protocol (IP) 
addresses of infected machines, from which the ISPs 
notify the infected user of the compromise and offer 
a "BOT disinfestation website" with easy, clear in- 
structions and downloadable tools to clean their com- 
promised machines.^^ The system is dynamic, with 
analysts monitoring sensor activity and creating "dis- 
infestation" tools directed toward new threats. 

The activity report data for April 2010 show a 
cumulative number of 484,583 (7,561 for April) alert 
emails sent to 100,696 (3, 751 for April) recipients, with 
a cumulative download rate of disinfestation tools of 
31.8 percent.^^ The CCC data offer an opportunity to 
evaluate the effectiveness of methods, such as this one 
in enhancing security, particularly as an application of 
the guardian roles in enhancing cyber security. 

Melissa Hathaway, a cyber security expert during 
the George Bush and Barack Obama administrations, 
has suggested the online game "The SmokeScreen 
Game" as a novel way to promote secure behavior.^^ 
The SmokeScreen Game is a British project that lets 
students test life online through social media and their 
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interactions with others in the electronic world. The 
SmokeScreen Game addresses lies, malice, misinfor- 
mation, and criminal online conduct, allowing young 
people to test these parameters in a simulation before 
being caught in a potentially damaging reality. 

Lastly, the 2011 service learning and community 
engagement components will continue to collect ad- 
ditional data on the effectiveness of this model. Com- 
puter engineering students in the junior-level course 
on legal, ethical, and social issues in computing have 
begun more fundamental work with community 
members on competent computing — expanding the 
base of skills and producing additional data on basic 
user needs. 

CONCLUSION 

Cyber security is yet another facet of security in 
an uncertain world, an issue people have sought to 
address throughout human history. It requires global 
attention, not a belief that "police action" can solve all 
risks. Cyber security can be enhanced through the use 
of criminal justice and social education models to se- 
cure the highly distributed elements of the information 
network. It can extend the effective administration of 
justice to cybercrime and embed security awareness 
and competence in the use of pervasive and ubiqui- 
tous computing via novel and creative ways to engage 
people in their own online cyber security. 

Because this is happening swiftly in an expanding 
world of cyber consumers that has outstripped our 
traditional educational system, special efforts must be 
made to engage citizens in protecting this new, rich 
environment for learning, commerce, and society. 
Failure to do so will only expand the pool of victims, 
potential and real. 
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CHAPTER 5 


AN INSTITUTIONAL AND DEVELOPMENTAL 
ANALYSIS 

OF THE DATA BREACH DISCLOSURE LAWS 

Melissa Dark 

This chapter is based on an earlier, extended ver- 
sion of a chapter that appears in MeUssa J. Dark, ed., 
"Information Assurance and Security Ethics in Com- 
plex Systems: Interdisplinary Perspectives," Hershey, 
PA: IGI Global, available from www.igi-global.com, posted 
by permission of the publisher. 

INTRODUCTION 

Although advances in computing promise sub- 
stantial benefits for individuals and society, trust in 
computing and communications is critical in order 
to realize such benefits. The hope for cyber trust is to 
create a society in which trust enables technologies to 
support individual and societal needs without violat- 
ing confidences and exacerbating public risks. Cyber 
trust, in part, depends on software and hardware 
technologies upon which people can justifiably rely. 
However, the cyber trust vision requires looking be- 
yond technical controls to consider how other forms 
of social control contribute to a state of cyber trust. 
As information technology has become more ubiqui- 
tous and pervasive, assurance and security concerns 
have escalated; in response, there has been noticeable 
growth in public policy as a form of social control to 
bolster cyber trust. One can see such growth just by 


107 


briefly inventorying some of the regulations enacted 
to protect security and privacy: 

• Freedom of Information Act (1966) 

• ProFair Credit Reporting Act (1970) 

• Bank Secrecy Act (1970) 

• Privacy Act (1974) 

• Family Educational Rights and Privacy Act 
(FERPA) (1974) 

• Right to Financial Privacy Act (1978) 

• Foreign Intelligence Surveillance Act (1978) 

• Electronic Communications Privacy Act 
(ECPA) (1986) 

• Telephone Consumer Protection Act (1991) 

• Communications Assistance for Law En- 
forcement Act (1994) 

• Driver's Privacy Protection Act (1994) 

• Health Insurance Portability and Account- 
ability Act (HIPAA) (1996) 

• Computer Fraud and Abuse Act (1996) 

• Children's Online Privacy Protection Act 
(COPPA) (1998) 

• Digital Millennium Copyright Act (1998) 

• Gramm-Leach-Bliley Act (GLBA) (1999) 

• USA PATRIOT Act (2001) 

• Federal Information Security Management 
Act (2002) 

• Fair and Accurate Credit Transactions Act 
(2003) 

• CAN-SPAM Act (2003) 

• 46 State Data Breach Disclosure Laws* law 
(2003-present). 

*The U.S. Virgin Islands, Puerto Rico, and the Dis- 
trict of Columbia have also enacted data breach dis- 
closure laws. 
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This is not an exhaustive list, but it is representa- 
tive and exemplifies the increasing growth in legis- 
lation. Given that information security and privacy 
are becoming more important, as evidenced by the 
growth in public policy, policy analysis in this area is 
timely and relevant. 

Policy analysis aims to address questions such as 
the following. What do governments choose to do or 
not to do? How effective are the proposed or enacted 
solutions to public problems? How are issues that af- 
fect large numbers of citizens introduced to the public 
arena? What are the historical, political, and institu- 
tional factors that shape the formulation of public pol- 
icy? In light of the relationships among policies, which 
of the various alternative policies will be most effec- 
tive in achieving a given set of social goals? How can 
policymaking improve through research and analysis? 

This chapter considers the data breach disclosure 
laws recently enacted in most of the United States. 
There are three important factors that make the state 
data breach disclosure laws of interest: the rapid poli- 
cy growth; the first concrete example of informational 
regulation for information security; and the impor- 
tance of these laws to prevent identity theft and pro- 
tect privacy. The chapter begins with a discussion of 
the policy analysis framework used for this analysis. 
Thereafter, the chapter offers a retrospective analysis 
of the historical, political, and institutional factors that 
gave rise to these laws, i.e., the legislative outcomes 
seen today. Finally, the chapter concludes with sug- 
gestions for information security and privacy policy 
in the future. 
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INSTITUTIONAL ANALYSIS AND 
DEVELOPMENT FRAMEWORK 


The institutional analysis and development (IAD) 
framework is a tool for performing policy analysis that 
focuses on how institutions, i.e., structures and mech- 
anisms of social order, govern behavior. The goal of 
using this framework is to organize one's inquiry into 
a subject, which in this chapter are the data breach dis- 
closure laws. The IAD framework is associated with 
the social theory of new institutionalism, which grew 
out of a desire to study institutions from a sociological 
perspective. Whereas old institutionalism studies for- 
mal institutions — such as organizations, norms, laws, 
and markets — new institutionalism adds the study of 
how institutions operate in a sociological context. In 
new institutionalism, institutions are abstractly de- 
fined as "shared concepts used by humans in repetitive 
situations organized by rules, norms and strategies." 
(Ostrom, 1999, p. 37) New institutionalism considers 
topics such as how individuals and groups construct 
institutions, how institutions function in practice, how 
institutions interact and affect each other, the effect 
that the sociological environment has on these interac- 
tions, and the effects of institutions on society. In new 
institutionalism, institutions are both the entities (or- 
ganizations, laws, and markets) themselves, as well as 
things — rules, norms, and strategies — that shape the 
patterns of interaction across these entities. 

While rules and norms are powerful, they are 
largely invisible, which makes identifying and mea- 
suring them difficult (Ostrom, 1999). One can describe 
them, but not precisely. This is important, since read- 
ers of this chapter will clearly see qualitative descrip- 
tions to depict institutions in action, but not quantita- 


110 


tive measures. As a result, the description of this type, 
by its nature, includes connotation, which cannot be 
avoided; norms exist in us, not apart from us. There- 
fore, this chapter is subject to the author's bias. Read- 
ers must refute and/ or improve upon this work. It is 
incumbent on all who are interested in such research 
to be aware of, and guard against, personal biases 
where they may limit findings. 

The IAD framework appears in Figure 5-1. The 
action arena in the middle of the figure includes the 
action situations and the actors. In describing the ac- 
tion situation(s), the analyst attempts to identify the 
relevant structures, i.e., those affecting the process of 
interest. This can include participants; allowable ac- 
tions, and linkages to outcomes; the level of control 
that participants have over choice; information avail- 
able to participants; and costs and benefits assigned to 
actions and outcomes. The analyst also identifies the 
pertinent actors. Actors are individuals and groups 
(entities) who take action, i.e., they behave in a man- 
ner to which they attach meaning, either subjectively 
or instrumentally. Moving to the right in Figure 5-1, 
the IAD model includes patterns of interaction and 
outcomes. Most social reality includes multiple action 
arenas that interlink; some may say they are entan- 
gled. The IAD framework calls out patterns of interac- 
tion as subjects of interest in their own right as well 
as in relation to action situations and actors, and to 
outcomes. Outcomes are observed, inferred, and/or 
expected behaviors or results. 
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Note: Adapted from P. Sabatier, 1999. 

Figure 5-1. Institutional Analysis and Development 
Framework. 

Moving to the left of the framework, action are- 
nas can also be dependent variables. In this way, the 
analyst looks at how rules-in-use, attributes of com- 
munity, and physical/material conditions influence 
the action arena. Rules-in-use are shared understand- 
ings about what is expected, required, and allowed in 
ordering relationships. Physical/ material conditions 
refer to the characteristics of the states of the world 
as they shape action arenas. Clearly, what is expected 
or allowed may be conditioned by what is physically 
or materially possible. Likewise, physical conditions 
might shape rules-in-use and vice versa. Attributes of 
community are nonphysical conditions that provide 
structure to the community. Attributes of community 
may or may not be shaped by physical conditions and 
can serve to influence rules-in-use and the utilization 
of physical conditions. Moving right to left in the IAD 
model, one can also study how outcomes influence 
physical conditions, attributes of community, and 
rules-in-use. Consistent with the new institutional 
paradigm, the IAD model assumes that social systems 
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are continually constituted and reconstituted; in this 
way, both the systems and the models to analyze them 
are organic in their worldview. 

The IAD model does not prescribe how analysis is 
performed. The arrows do not mean to suggest that 
the analyst needs to work through the model in full, 
or from left to right. For example, an analyst can work 
from 1) the action arena to 2) outcomes in an effort 
to discern or predict patterns of interaction. Another 
alternative would be to work from 1) observed out- 
comes to 2) effects thereof on rules-in-use or attributes 
of community. Or the analyst can work across levels, 
e.g., investigating how collective choice rules-in-use 
such as excludability and the free-rider problem influ- 
ence what type of operational policy can be enacted. 
This ability to study multiple aspects of an institution 
simultaneously is the power of this model. The IAD 
model is especially useful for analyzing self-governing 
entities; self-governing entities are comprised of indi- 
viduals who create and influence the rules that struc- 
ture their lives. In other words, the members (or their 
representatives) of a self-governing entity participate 
in the development of the collective-choice and consti- 
tutional rules-in-use. Self-governing entities are com- 
plex, adaptive systems in that they consist of a large 
number of elements interacting in multiple ways; the 
interactions change the system, which shapes future 
interactions such that outcomes are hard to predict, 
and thus, considered emergent. Self-governing enti- 
ties are polycentric, in which citizens organize mul- 
tiple governing authorities and private arrangements 
at different scales. A constitutional government is a 
self-governing entity; in an interesting contrast, the 
Internet is also a self-governing socio-technical entity. 
Public policy in information assurance and security is 
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about how a polycentric system governs a polycentric 
system, making the IAD framework a useful analytic 
tool for this paper. 

Retrospective Analysis. 

The retrospective analysis examines rules-in-use, 
attributes of community, and the physical and ma- 
terial conditions that served to shape the policy ac- 
tions we have seen to date in information security 
and privacy. Given that the data breach disclosure 
laws aim to ameliorate identity theft and privacy con- 
cerns, we start with an overview of other legislation in 
these areas. 

Policy Actions to Date. 

The first U.S. law that specifically addressed iden- 
tity theft was passed in 1998 — the Identity Theft and 
Assumption Deterrence Act, passed in response to the 
dramatic rise in identity (ID) theft in the 1990s. Prior 
to this act, ID theft was not regulated per se. With re- 
gard to privacy, there is no provision for privacy in 
the U.S. Constitution. There is no independent privacy 
oversight agency in the United States, and the United 
States has no comprehensive privacy law. Instead, the 
United States has taken a sectorial approach to privacy 
regulation so that records held by third parties — such 
as financial and personal records at banks, educational 
and personal records at universities, membership and 
personal information at associations, and medical and 
personal records at community hospitals — are gener- 
ally not protected unless a legislature has enacted a 
specific law. As a result, we have a patchwork of laws 
enacted to address privacy and data security. These 
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are outlined next, starting with the laws that pertain to 
the federal government, followed by laws that pertain 
to the private sector, and finally, state laws. 

Federal Laws. 

The Federal Trade Commission (FTC) Act was es- 
tablished by the Federal Trade Commission in 1914 
for the purposes of promoting consumer protection 
and eliminating and preventing anticompetitive busi- 
ness practices. Jurisdiction of the FTC Act extends to a 
variety of entities. Section 5 of the FTC Act forbids un- 
fair or deceptive practices in commerce, where unfair 
practices are defined as those that cause or will likely 
cause substantial injury to consumers. Section 5 of the 
Federal Trade Commission Act has been used with 
regard to privacy and security, when companies have 
been accused of deceptive claims regarding use of per- 
sonal information (e.g., Choicepoint). In 2003, the FTC 
Act was amended to include a provision regarding the 
privacy of consumers' credit data (the Fair and Accu- 
rate Transactions Act of 2003 - 15 U.S.C. 1681-1681x). 

The Privacy Act of 1974 (5 U.S.C. 552a) governs 
the federal government's information privacy pro- 
gram. The intent of the Privacy Act is to balance the 
government's need to maintain information about in- 
dividuals and the privacy rights of individuals. The 
Privacy Act protects individuals against unwarranted 
invasions of privacy stemming from federal agencies' 
collection, maintenance, use, and disclosure of per- 
sonal information (U.S. Department of Justice, 2008). 
The U.S. Congress passed the act in response to rev- 
elations of privacy abuse during President Richard 
Nixon's administration. A second goal of the Privacy 
Act is to address potential abuses stemming from the 
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government's increasing use of computers to store 
and retrieve personal data. The Privacy Act focuses 
on four basic policy objectives: 

1. To restrict the disclosure of personally identifi- 
able records maintained by federal agencies. 

2. To grant individuals increased rights of access 
to federal agency records that pertain to themselves. 

3. To grant individuals the right to seek amend- 
ment of federal agency records maintained on them- 
selves, given evidence that the records are inaccurate, 
irrelevant, untimely, or incomplete. 

4. To establish a code of "fair information prac- 
tices" that requires federal agencies to comply with 
statutory norms regarding collection, maintenance, 
and dissemination of records. 

The Privacy Act specifies that agencies will not 
disclose any record contained in a system of records 
by any means of communication to any person or to 
another agency without the prior written consent of 
the individual to whom the record pertains — barring 
exceptions such as law enforcement. The Privacy Act 
also mandates that each federal agency have in place 
an administrative and physical security system to pre- 
vent unauthorized release of personal records. While 
the Privacy Act also applies to records created by 
government contractors, it does not apply to private 
databases. 

The Federal Information Security Management Act 
(44 U.S.C. 3544) (FISMA), enacted in 2002, is the prin- 
cipal law governing the information security program 
for the federal government. FISMA calls for agencies 
to develop, document, and implement agency-wide 
information security programs. This includes infor- 
mation systems used or operated by an agency or by 
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a contractor of an agency. A goal of FISMA is to see 
that information security protections are commensu- 
rate with the risk and magnitude of harm resulting 
from unauthorized access, use, disclosure, disrup- 
tion, modification, or destruction of information col- 
lected or maintained by or on behalf of the agency. 
FISMA requires procedures for detecting, reporting, 
and responding to security incidents. Notification of 
security incidents must be provided to a federal in- 
formation security incident center, law enforcement, 
and relevant Offices of the Inspector General. The Of- 
fice of Management and Budget Breach Notification 
Policy, issued in 2007, reemphasizes agencies' obliga- 
tions under the Privacy Act and FISMA by outlining 
two new privacy requirements and five new security 
requirements, which include explicit requirements for 
breach notification. 

The Veterans Affairs Information Security Act (38 
U.S.C. 5722) was enacted in 2006 in response to the 
May 2006 breach of 26.5 million veterans' personal 
data. The Veterans Affairs Information Security Act 
requires the Veterans Administration (VA) to imple- 
ment agency-wide information security procedures to 
protect the VA's sensitive personal information and 
information systems. While the VA Secretary must 
comply with FISMA, this act includes other require- 
ments not in FISMA, which are not specified here due 
to the narrow scope of this law, i.e., it applies only to 
the VA. 

Private Sector Laws. 

In addition to the laws that shape the behavior of 
federal agencies, a suite of information security and 
privacy laws apply to the private sector. The two main 
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laws are the Health Insurance Portability and Ac- 
countability Act (42 U.S.C. 1320) of 1996 (HIPAA) and 
the Gramm-Leach-Bliley Act (15 U.S.C. 6801-6809), 
enacted in 1999 (GLBA). HIPAA requires health plans, 
health care clearinghouses, and health care providers 
to ensure the privacy of medical records and prohibits 
disclosure without patient consent. While HIPAA in- 
cludes privacy provisions, it is important to note that 
the primary purpose of HIPAA was job mobility. Ac- 
cording to Hinde: 

It was perceived that the disclosure of pre-existing 
medical conditions or claims to a new employer and 
that employer's health plan might discourage job mo- 
bility if those conditions were excluded by the new 
health plan insurer. Thus, the concept of providing 
privacy over identifiable information for those cov- 
ered by the plan (Hinde, 2003, p. 379). 

The security standards that require health care en- 
tities to maintain administrative, technical, and physi- 
cal safeguards to ensure the confidentiality, integrity, 
and availability of electronic "protected health infor- 
mation" were added to HIPAA in 2003 . 

The Gramm-Leach-Bliley Act (GLBA) pertains 
to financial institutions. The impetus for GLBA was 
to "modernize" financial services. This included the 
removal of regulations that prevented the merger of 
banks, stock brokerage companies, and insurance 
companies. These financial institutions regularly 
bought and sold information that many would con- 
sider private, including bank balances and account 
numbers. Therefore, the: 

(R)emoval of these regulations raised significant risks 
that these new financial institutions would have ac- 
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cess to an incredible amount of personal information 
with no restrictions upon its use. Prior to GLBA, the 
insurance company that maintained your health re- 
cords was distinct from the bank that mortgaged your 
house and the stockbroker that traded your stocks. 
Once these companies merged, however, they would 
have the ability to consolidate, analyze, and sell the 
personal details of their customers' lives (EPIC, 2008). 

GLBA requires financial institutions — businesses 
that engage in banking, insuring, stocks and bonds, 
financial advice, and investing — to safeguard the se- 
curity and confidentiality of customer information, to 
protect against threats and hazards to the security or 
integrity of these records, and to provide customers 
with notice of privacy policies. Section 501 (b) of GLBA 
requires banking agencies to establish industry stan- 
dards regarding security measures such as risk assess- 
ment, information security training, security testing, 
monitoring, and a response program for unauthorized 
access to customer information and customer notice. 
In this way, GLBA is self-regulatory because it calls 
for financial institutions to appoint an intermediary to 
determine best practices for information security and 
to monitor the performance of financial institutions 
against these industry standards. 

State Data Breach Disclosure Laws. 

The most recent spate of activity is in the 46 state 
data breach disclosure laws. California was the first 
state to establish a data breach disclosure law in 2003; 
10 other states enacted laws in 2005, 19 in 2006, eight 
in 2007, five in 2008, two in 2009, and one in 2010. 
Questions and concerns about the efficacy of these 
laws are many. All of these laws address three com- 
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mon elements: personal information definition, no- 
tification requirements, and notification procedures 
and timelines. However, the definitions of "personal 
information," "breach," "encryption," and "potential 
risk" are not consistent across the various state laws. 
This creates challenges for companies that operate in 
more than one state. The need to comply with mul- 
tiple state laws can be cumbersome and costly. Thus 
far, it is not known if consumer notification is effective 
and under what circumstances. Given that the laws 
vary with regard to what is protected, to what degree, 
and when, consumer advocates fear that that lack of 
consistency diminishes the effectiveness of the laws. 
By allowing consumer rights to vary, consumers lose 
their power and, as a result of their protections mean- 
ing many different things, these consumer protections 
mean no one thing. Questions also arise about the use 
of personal notification as a mitigation strategy. As 
notifications increase, there is an increased risk of con- 
sumer desensitization, which ironically could cause 
consumers to be inattentive to the risk, which would 
be counterproductive. 

The clarion call is that we are drowning under a 
myriad of different state data breach notification laws, 
thereby making a federal data breach notification law 
imperative. In response, 15 federal data breach notifi- 
cation bills have been introduced in the past 4 years. 
While all of these bills are dead, the discussion of pre- 
emptive federal law continues. The debate continues 
as to the needs of business versus consumer groups. 
As business vies for a high threshold for notification 
due to the fact that notification costs time, money, 
and reputation, consumer groups contend that higher 
thresholds do not grant enough notice to consumers. 
Questions of what should be with regard to identity 
theft, privacy, and security remain salient. 
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Retrospective Policy Analysis, 

We now turn to a discussion of the policy analysis 
using the IAD framework to consider why and how 
we arrived at the development of the 46 existing data 
breach laws. In this retrospective analysis, we consid- 
er the rules-in-use, attributes of community, and the 
physical and material conditions that served to shape 
the policy actions we have seen until now. To date, 
public policy in information security and privacy in 
the United States has been largely incremental in na- 
ture. We can see from the patchwork of laws discussed 
earlier in this chapter that we have thus far resisted a 
coordinated federal law that preempts existing legis- 
lation. Incrementalism is common in self-governing, 
polycentric entities. In policy analysis, incrementalism 
assumes that: 1) the effects of seriality enhance out- 
comes by reducing uncertainty; and, 2) the enhanced 
consideration of context enhances outcomes. That the 
information age has introduced a number of uncer- 
tainties makes incrementalism especially relevant. 

Stated more directly, and in connection to the 
IAD model, one of the rules-in-use is incrementalism. 
When there is a high degree of uncertainty, policy will 
be enacted incrementally. Thus, a plethora of laws is 
to be expected. While identity theft is nothing new, 
the magnitude of identity theft experienced in the past 
decade is new. The global information infrastructure 
is in its infancy — it is still unclear what people will and 
will not do in the electronic frontier. The Internet was 
never designed to serve the myriad of purposes for 
which it is being used, nor was it designed for billions 
of users. Laws designed in the industrial era may or 
may not apply in the information age. It is not certain 
what new laws are necessary as a result of information 
technologies and how effective these laws will be. 
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During this period of transition, new communities 
form and existing communities are being reshaped; 
as a result, behavioral norms are being renegotiated. 
Given the global nature of the Internet, it is reasonable 
to view these communities as more heterogeneous or, 
at a minimum, heterogeneous in new ways. Therefore, 
norms cannot be easily transported based on existing 
communities; they will have to be established from 
the ground up, which is bound to take time. Addi- 
tionally, because the technology is still new, scientists 
and engineers are still determining what actions are 
physically possible. Talented individuals around the 
world are working on technologies to help anonymize 
data, enhance privacy-preserving computation, and 
provide improved intrusion detection, but this takes 
time as well. Experience in all of these areas — rules-in- 
use, attributes of community, and physical/ material 
conditions — occur through observation, involvement, 
and exposure. 

Though we do not have much experience, there 
has been the need to take action. ID theft is on the rise, 
which concerns citizens. Two of the core imperatives 
of the state are domestic order and legitimacy (Dry- 
zek, Downes, Hunold, Schlosberg and Hemes, 2003). 
Yet, the existing federal and private sector laws are 
not sufficient to address the rising identity theft prob- 
lem threatening domestic order, thereby forcing law- 
makers to take action to ensure their perceived legiti- 
macy. In response, federal laws have been amended, 
private sector laws are being tweaked, and a flurry of 
state laws have been enacted. To what can we attri- 
bute the incremental changes we have observed? Why 
do we have these laws as opposed to something else? 
To answer these questions, we turn to a discussion of 
openness and transparency, informational regulation. 
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the infancy of the information industry, and federal- 
ism; we further examine how rules-in-use, attributes 
of community, and physical/material conditions have 
intersected in each of these areas to produce the poU- 
cies we have today. 

Openness and Transparency. 

A democracy is founded on principles of openness 
and transparency. In 1933, Justice Louis D. Brandeis 
coined the powerful phrase "sunlight as disinfectant" 
in support of increasing openness and transparency 
in public policy. While laws that aim to ensure open- 
ness and transparency in government operations ex- 
isted before 1933, Brandeis is responsible for the term 
"Sunshine Laws." The impetus behind sunshine laws 
is twofold. First, a thriving, open democracy depends 
on open access and citizen participation; thus, the 
right-to-know is a constitutional and inherent right of 
American citizens. Second, a government that is of the 
people, for the people, and by the people asserts gov- 
ernment subservience to the individual, which predi- 
cates freedom of information. 

The Freedom of Information Act (FOIA), signed 
into law on July 4, 1966, by President Lyndon B. John- 
son, is a Sunshine Law. FOIA allows for the full or par- 
tial disclosure of previously unreleased information 
and documents controlled by the U.S. Government. 
The concept of "freedom of information" conveys a 
philosophy that values the advantages of increasing 
our ability to gather and send information, and clearly 
does not connote privacy as a positive right. This acts 
as a rule-in-use. 

The Privacy Act of 1974 arrived 8 years later as an 
amendment to the FOIA in response to Watergate and 
the abuse of privacy during the Nixon administration. 
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The Privacy Act of 1974 did not promote privacy, but 
established a code of fair information practice. It was 
also an attempt to limit the powers of government and 
passed hastily during the final week of the 93rd Con- 
gress, which was in session from 1973-74. According 
to the U.S. Department of Justice: 

[N]o conference committee was convened to reconcile 
differences in the bills passed by the House and Sen- 
ate. Instead, staffs of the respective committees — led 
by Senators Ervin and Percy, and Congressmen Moor- 
head and Erlenborn — prepared a final version of the 
bill that was ultimately enacted . . . the Act's imprecise 
language, limited legislative history, and somewhat 
outdated regulatory guidelines have rendered it a dif- 
ficult statute to decipher and apply (U.S. Department 
of Justice, 2008). 

Moreover, even after more than 25 years of ad- 
ministrative and judicial analysis, numerous Privacy 
Act issues remain unresolved or unexplored. Add- 
ing to these interpretational difficulties is the fact 
that many Privacy Act cases are unpublished district 
court decisions. 

This offers important insight into the historical 
context with regard to how information and privacy 
are embedded in the past as well as food for thought 
on how this norm has shaped our ongoing collective 
treatment of it going forward. Through the enactment 
of FOIA in 1966, the push to enable information shar- 
ing was a result of mistrust in government. Eight years 
later, the Privacy Act was reactive in nature and reflec- 
tive of further distrust of government. Through these 
pieces of legislation run two noteworthy threads. First 
is the value of freedom of information, wherein infor- 
mation belongs to and exists for the advancement of 
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citizens and the common good. Second is a distrust of 
government powers, wherein stewardship cannot be 
entrusted to the pohty. "Privacy" in the Privacy Act is 
not a positive right, but rather a necessary provision 
subservient to Hmiting government powers. 

Earlier in this study it was noted that HIPAA was 
passed to enable job mobility and GLBA was passed 
to modernize the financial services industry. Again, 
in the context of these laws, privacy is secondary to 
another purpose. In HIPAA and GLBA, privacy is 
a means to an end; in other words, privacy plays a 
functional or instrumental role. Society needs priva- 
cy because citizens need job mobility; society needs 
privacy to modernize financial services. Implicit is 
the message that if citizens did not need job mobil- 
ity or financial services modernization they would 
not need to concern themselves with privacy. Even 
though privacy was cast as a functional need in both 
HIPAA and GLBA, the similarity ends there. These in- 
dustry sectors have significantly different regulatory 
frameworks (Congressional Research Service, 2008). 
The security and privacy provisions in these laws are 
more reflective of the larger regulatory framework for 
these industries. The regulatory framework for these 
industries served as additional rules-in-use, shaping 
these laws. 

Informational Regulation. 

Another phenomenon that is essential to under- 
standing the U.S. data breach laws is informational 
regulation. Informational regulation has become a 
striking development in American law (Sunstein, 
2006). To date, informational regulation has applied 
in the environmental and health policy arenas. It is 
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noteworthy that informational regulation has been 
applied to these areas. In the case of environmental 
policy, informational regulations have protected as- 
pects of the environment that are common (or public) 
good in nature, which by definition means that the 
private sector will not attend to them. A similar situ- 
ation occurs in the area of public health, in which the 
health of all citizens is both good for the individual as 
well as for the collective as a means and an end, i.e., it 
is a common or public good. 

Informational regulation has two functions. First, 
it serves to inform people of potential risk exposure 
(Volokh, 2002) and serves as "sunlight," which was 
already discussed as the value of transparency. Sec- 
ond, informational regulation aims to change the 
behavior of risk creators (Volokh, 2002) and to exert 
pressure on entities to care for the common good. In- 
formational regulation is useful in a polycentric policy 
arena in which the problems that the policy means to 
address are attributable to multiple sources, the solu- 
tions require participation from multiple parties, and 
the nature of problems and solutions is dynamic — all 
of which necessitate that the policy must allow for 
adaptability. Clearly caring for the environment or 
health are polycentric policy areas. Environmental 
and health problems stem from multiple sources, and 
ameliorating these types of problems takes ongoing 
involvement from multiple parties. The same is true 
for data security, identity protection, and privacy. Im- 
proved data security is possible only under conditions 
that shape the practices of numerous individuals and 
covered entities; therefore, policy that provides incen- 
tives for such change is, in theory, necessary. How 
does informational regulation work in practice? 
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Figure 5-2 shows the mechanistic view of the prem- 
ise for informational regulation for data breach disclo- 
sure laws. Informational regulation intends to provide 
warning information to consumers. In theory, by en- 
hancing the knowledge level, consumers can perform 
a personalized risk assessment and make purchase 
decisions based on that assessment. The market deci- 
sions made by consumers intend to drive the less se- 
cure entities out of the market, thereby improving the 
state of security overtime. In addition, the enhanced 
knowledge levels will propel consumers to engage in 
other protective actions, such as active credit moni- 
toring or a credit freeze. Consumer credit monitoring 
typically includes alerting the bank and credit card 
merchant, notifying the FTC, and/ or contacting law 
enforcement. A credit freeze allows consumers to lock 
their consumer credit report and scores. Once consum- 
ers have locked their credit information, the lender or 
merchant cannot access it, which significantly lowers 
the likelihood that the merchant will issue credit. The 
benefit is that the thief is not likely to get credit in the 
consumer's name (so the law prevents a false-positive, 
also called a Type II error). The downside is that this 
locking also impedes consumers from quickly get- 
ting credit in their name (a false-negative, or Type I 
error); note that consumers can release the freeze, but 
it takes a few days and may jeopardize quick access 
to special loans and other purchase incentives. These 
proactive consumer measures will in theory also lead 
to improved security over time. 
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Figure 5-2. Informational Regulation Premise 
for Data Breach Disclosure Laws. 

Informational regulation also aims to change the 
actions of producers. By engaging producers in pro- 
viding information, informational regulation, in the- 
ory, reveals an entity's practices. This sends a signal 
to society that perhaps this entity cannot be trusted. 
The premise is that covered entities value their repu- 
tations. As such, they will act to improve their security 
in order to preserve their reputations and minimize 
associated costs, which could include the costs of the 
notification itself, as well as downtime costs, the costs 
of remediation and recovery due to the breach, and 
the costs of lost business. Ideally, these two streams 
combine to improve data security, which in turn miti- 
gates ID theft and enhanced privacy. 

The premise of informational regulation is that: 1) 
market mechanisms can shape risk behavior, thereby 
reducing the need for command-and-control regula- 
tions; and, 2) informational regulation enhances dem- 
ocratic processes and promotes individual autonomy. 
By providing data breach information to victims, in- 
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dividuals are empowered to make decisions based on 
quality (i.e., they can elect to purchase goods/ services 
from a provider who offers enhanced information se- 
curity and privacy), and market mechanisms will be 
fortified. A failure to provide complete and accurate 
market information can impede the efficient alloca- 
tion of goods and services and result in market failure, 
which is the driver for changing producers' behavior. 

In theory, informational regulation allows more 
public monitoring of decisions, a norm already dis- 
cussed. By forcing disclosure, more people are in- 
formed; and by informing more people, the quality 
and the quantity of public deliberation will improve, 
thereby enhancing the democratic processes that are 
vital for openness and transparency. In general, infor- 
mation disclosure rests on the normative belief that 
citizens have a right to know the risks to which they 
are exposed. This information promotes choice and 
autonomy, both of which are foundational to what 
some may consider the penultimate norm in Ameri- 
can society — liberty (Renshaw, 2002). 

In contrast to command-and-control regulation in 
which the government sets and enforces standards, 
informational regulation is often less expensive. The 
United States values efficient government, and recent 
decades have seen an increased emphasis on downsiz- 
ing the federal government. While it is not clear that 
command and control legislation would be effective 
in mitigating data breaches or in making data breach 
disclosure more effective, it is clear that a command 
and control approach is not politically efficacious at 
this point in time. 

In summary, informational regulation has grown 
in areas where consumer protection, private sector 
practices, and risk converge. Examples include warn- 
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ing labels regarding mercury levels, nutrition labels 
disclosing fat content, and notifications about the 
side effects of a given medication. That data security 
shares these same material features — consumer pro- 
tection, private sector practices, and risk— has clearly 
contributed to adopting informational regulation as 
the model for data breach disclosure laws. 

Infancy of the Information Industry and 
Federalism. 

Continuing with a thread that was started earlier — 
relative inexperience with the information age — the 
information industry includes: 1) industries that buy 
and sell information as a good or service; 2) certain 
service sectors that are especially information inten- 
sive, such as banking and legal services; 3) information 
dissemination sectors, such as telecommunications 
and broadcasting; and, 4) producers of information 
processing devices, such as computers and software. 
The information industry is a boon to the economy, as 
information amplifies growth in more traditional in- 
dustry sectors, and the demand for information goods 
and services increases markedly. Because of the ends 
and means nature of information goods and services, 
the market is quite large and still emerging. 

An example of emergence is the following rela- 
tively recent cascade of events: the Internet explosion; 
September 11, 2001; and the subsequent war on terror. 
These events converged to boost the data brokerage 
industry. Data brokerages are companies that collect 
and sell billions of private and public records con- 
taining individuals' personal information. Many of 
these companies also provide products and services, 
including identity verification, background screen- 


130 


ing, risk assessments, individual digital dossiers, and 
tools for analyzing data. Most data brokers sell data 
that they collect from public records (e.g., driver's li- 
cense records, vehicle registration records, criminal 
records, voter registration records, property records, 
and occupational licensing records) or from warranty 
cards, credit applications, etc. In addition, data bro- 
kers purchase so-called "credit headers" from credit 
reporting agencies. Information on a credit header 
generally includes a person's Social Security number, 
address, phone numbers, and birth date (Congres- 
sional Research Service, 2007). Although some of the 
products and services provided by data brokers are 
currently subject to privacy and security protections 
aimed at credit reporting agencies and the financial 
industry under the Fair Credit Reporting Act (1971) 
and GLBA (1999), many are not. Because the indus- 
try is relatively young, there is no history of oversight 
or self-regulation of the industry's practices, includ- 
ing the accuracy and handling of sensitive data, by an 
industry-sanctioned body. 

Data brokerages are not the only unregulated enti- 
ties. There are many other organizations that process, 
store, and transmit personal information: state and lo- 
cal agencies, public hospitals, departments of revenue 
and motor vehicles, courts at the state and local level, 
agencies that oversee elections, K-12 schools, school 
districts, post-secondary institutions, and business en- 
tities engaging in inter- and intrastate commerce. Most 
of these entities are not covered by HIPAA and GLBA 
(Congressional Budget Office, 2006) and have tradi- 
tionally been governed through state law; hence, the 
46 state data breach laws discussed earlier. The suite 
of laws are in part a result of lack of experience with 
information markets, and are partly a function of the 
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need for legislation that spans the numerous and var- 
ied types of entities that process, store, and transmit 
personal information. A broad and amorphous social 
challenge such as information security and privacy is 
not only diffuse; it is emergent. Research has shown 
that in cases of open access, common good resources 
(such as security and privacy), collective choice action 
arenas, i.e., those that improve opportunities for com- 
munication and public deliberation, result in better 
joint outcomes (Ostrom, 1999). The patchwork of data 
breach laws fit this profile — they aim to increase com- 
munication and public deliberation. 

In a federalist system, such as the United States, 
sovereignty is constitutionally divided between the 
federal government and the constituent states. The 
powers granted to the U.S. federal government are 
limited to the right to levy taxes, declare war, and 
regulate interstate and foreign commerce. The pow- 
ers traditionally reserved by the states include public 
safety, public education, public health, transportation, 
and infrastructure. Of course, information security 
and privacy challenges permeate these state-governed 
organizations, too. While a federal preemptive law 
might span all organizations and individuals, there is 
the possibility that it would erode state sovereignty 
and, in the process, alter the federal-state balance of 
power in unprecedented ways. The patchwork suite 
of laws that we have can be partially attributed to a 
collective belief that this is wrong. This retrospective 
analysis provided nuanced insight into the present. 
Federal laws were enacted to delimit government 
powers, and privacy seemed necessary for that pur- 
pose. Private industry sector laws were passed to pro- 
tect the private sector, and data security and privacy 
were functional means to that end. These federal and 
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private sector laws reflect a general U.S. cultural norm 
of distrusting government while trusting in the private 
sector and market forces. Informational regulation 
was established as a form of legislation considered 
effective for issues that spanned consumer protec- 
tion and risk, and where market mechanisms would/ 
could work effectively, which is further evidence of 
pervasive trust in the private sector. 

LOOKING FORWARD 

Technological advancements are changing the in- 
formation security and privacy landscape consider- 
ably; in response, organizations grapple to enact social 
controls, i.e., public policies, that mitigate the ill effects. 
Yet, these policies are blunt instruments not suited to 
the careful excision of these ills. As mentioned earlier, 
some critics contend that the nation is drowning un- 
der a myriad of different state data breach notification 
laws and argue for a preemptive federal data breach 
notification law. Others contend that the current laws 
can suffice if modifications are passed. 

Some advocates of modifying existing laws assert 
that the outcome of data breach disclosure should be 
to motivate large-scale reporting so that data breaches 
and trends can be aggregated, which allows a more 
purposeful and defensive use of incident data. Those 
who advocate for large-scale data collection view the 
existing laws as "disclosure disincentives" for two 
reasons: 1) breached entities view themselves as vic- 
tims of attack and not deserving of reputational reper- 
cussions; and, 2) existing laws offer covered entities 
considerable discretion as to whether to disclose. To- 
gether, these factors result in underreporting of data 
breaches, which in turn constrains large-scale data 
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collection regarding breaches. The proposed policy 
solution is to modify the laws to make breach notifica- 
tion completely anonymous where breached entities 
report to an intermediary and not to consumers. 

Whereas others who advocate for modifying the 
existing laws suggest coordinated response architec- 
ture (CRA) (Schwartz and Janger, 2007), supporters of 
this alternative agree that large-scale data collection on 
data breaches is necessary, but contend that consum- 
er notification needs to be amended, not eliminated. 
Their main concerns with the existing consumer noti- 
fication practices are that: 1) there are too many noti- 
fications, leading to consumer desensitization; and, 2) 
the information provided to consumers is unhelpful at 
best and befuddling at worst. In response, this group 
advocates for amendments to the data breach laws to 
include a CRA. The CRA is an intermediary agency 
with responsibility for: 1) supervised delegation of the 
decision whether to give notice; 2) coordination and 
targeting of notices to other institutions and to cus- 
tomers; and, 3) improving the content of notices sent 
to consumers. 

Each of the alternatives offers a critique of the exist- 
ing suite of laws. Each critique is grounded in a prem- 
ise of what outcomes matter, and each alternative of- 
fers a view on how policy can/ should target actions in 
pursuit of these outcomes. Questions of what should 
be with regard to ID theft, privacy, and security re- 
main salient. The problem is both highly polycentric 
and emergent, and these conditions favor polycentric 
and incremental policy approaches. 

Yet, others would suggest that informational regu- 
lation is the wrong type of legislation entirely, and 
that tort law would be more effective for redressing 
problems of negligent behavior. Still others support 
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a mix-and-match set of policy alternatives. One ex- 
ample is a preemptive federal law in conjunction with 
tort laws and existing state laws, in which the scope 
of preemption is fairly narrow. The justification is that 
such a policy mix would allow greater stringency, and 
therein sovereignty, in state laws as desired by states, 
but provide for certain requirements in a federal law 
in areas that are crucial to improving security. 

As opposed to thinking about discrete policy solu- 
tions, challenges in information security and privacy 
are highly polycentric and emergent; these conditions 
in turn favor polycentric and incremental policy ap- 
proaches. The 46 state data breach laws put data secu- 
rity into the hands of citizens and organizations. In a 
society pillared by equity and freedom as ideals, where 
there is no constitutional provision for privacy, the 
constant for deliberating the common good is through 
an open and representative process. This myriad of 
data security laws aim to serve the purpose of making 
explicit these individual preferences in a manner that 
allows all to translate these preferences into collective 
choice — the future of data security is contingent on 
seeing more laws enacted to address facets of infor- 
mation security and privacy, and second, that these 
laws are likely to be more polycentric, not less. 
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CHAPTER 6 


CYBER SECURITY AND IDENTITY: 
SOLUTIONS FOR CRITICIAL 
INFRASTRUCUTURE THAT PROTECT CIVIL 
LIBERTIES AND ENHANCE SECURITY 

Joshua Gruenspecht 

INTRODUCTION: IDENTITY PROBLEMS 
AND IDENTITY VALUES 

Problems with identity determination raise some 
of the most compHcated and unresolved issues in cy- 
ber security. Just as in the physical world, identity on- 
line can be crucial both in restricting access to critical 
resources and in responding appropriately to threats 
or attacks. In the networked world, however, identify- 
ing a communications partner can be difficult, and in- 
formation security can suffer as a result. Industry and 
government are pursuing a number of approaches to 
better identify communicants so as to secure informa- 
tion and other assets. As part of this process, some 
policymakers have suggested fundamental changes to 
the way in which the Internet transmits identity infor- 
mation. Though their solutions have varied, this sub- 
set of policymakers has coalesced around the general 
idea that Internet communication needs to be more 
traceable so that malefactors can be tracked more 
easily. 

What these policymakers often fail to recognize 
is that identity is bigger than cyber security alone. 
Changes to online identity standards may also have 
effects on civil liberties and global freedom, eco- 
nomic and technological innovation, market choices. 
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consumer privacy, and other issues associated with 
onHne business models. Authentication mechanisms 
that do not consider commercial compatibility may 
be left behind in the marketplace, while enforced 
compatibility may create barriers to entry for entre- 
preneurs. Mechanisms mandated by the government, 
though, may choke off superior private-sector solu- 
tions. Enhanced identity mechanisms may complicate 
the right to anonymous speech and increase the ability 
of repressive regimes to target dissenters. In all these 
ways, network identity is not just a matter of security, 
but also a matter of civil and economic freedom. Ac- 
cordingly, the development and implementation of 
identity solutions must involve a weighing of values.^ 
Increasing the traceability of communications endan- 
gers many of these values. Instead of expending lim- 
ited resources to pursue solutions that have serious 
negative consequences, it is incumbent upon policy- 
makers to first consider alternative ways to address 
the cyber security identity problem. 

In order to assess the full spectrum of identity 
solutions proposed for cyber security, it is useful to 
understand that there are two related but distinct sets 
of problems in network identification: authentication 
and attribution. Authentication refers to the process 
of verifying the identity of a communicant (a machine 
or a user). Where an identity is associated with certain 
permissions, authentication mechanisms can be used 
to protect critical resources by securing systems from 
unauthorized access. Attribution, in contrast, concerns 
questions of how to determine the identity of a com- 
municant (as the source of certain code or other data) 
based on all of the information that the communicant 
has placed onto the network, including metadata as- 
sociated with his or her communications. Attribution 


140 


strategies can help assign responsibility for an at- 
tack. They can also help identify threats to network 
security, thus helping to mitigate those threats before 
their impact is felt. In some scenarios, authentication 
information can play a significant role in attribution, 
though often policymakers gloss over this piece of the 
attribution equation. 

The first section considers both sets of problems 
and concludes that authentication-oriented solutions 
are more likely to provide significant security ben- 
efits and less likely to produce undesirable economic 
and civil liberties consequences. The second section 
explains the concepts of authentication and attribu- 
tion in greater depth, discussing how each relates to 
network security and to other core values. The third 
section explains how identity information is currently 
exchanged on the Internet, and what authentication 
and attribution challenges are raised by these existing 
solutions. The fourth section evaluates proposed so- 
lutions to identity problems and the policy issues as- 
sociated with those solutions, explaining the benefits 
and drawbacks of each for both cyber security and for 
other values. The last section provides conclusions 
reached as a result of this analysis. 

AUTHENTICATION AND ATTRIBUTION: 
IDENTIFYING THE COMMUNICANT 

Authentication: Demanding Identity Before a 
Transaction. 

Authentication is "the process of establishing an 
understood level of confidence that an identifier re- 
fers to a particular individual or identity.'" Authenti- 
cation often involves an exchange of information be- 
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fore some other transaction in order to ensure — to the 
extent necessary for the transaction at hand — that the 
sender of a stream of traffic is who he or she claims to 
be or otherwise has the attributes required to engage 
in the given transaction.^ Enhancing the security of the 
authentication process in turn enhances the security 
of the transaction. Because critical resources such as 
utility control systems, financial networks, and sys- 
tems holding classified information are increasingly 
accessible through the Internet, authenticating users 
becomes an important cyber security concern. There 
are two sets of authentication questions that drive se- 
curity. First, how can authentication security be im- 
proved? Second, what level of authentication should 
be required in any particular situation? 

To understand how improvements happen, it is 
important to understand the underlying authentica- 
tion transaction. There are three parties to an authen- 
tication transaction.* The "user" associates him or 
herself with a digital identity; the "identity provider" 
facilitates and stores that association; and the "relying 
party" asks the identity provider to verify the user at 
the time of the transaction (or relies on something pro- 
vided to the user by the identity provider). In many 
situations, the identity provider and the relying party 
are one and the same (e.g., a business issuing user 
names and passwords for access to its own internal 
network, or Google authenticating a user into Gmail). 
Combining the two can increase security by reducing 
both the number of parties to the transaction and the 
technological complexity of the transaction, but it can 
also reduce security because, when every relying party 
issues it own identities, users (even sophisticated ones 
at important facilities) engage in insecure practices.^ 
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Information exchanged to authenticate identity 
is often broken down into three separate classes of 
authenticators: something you know, such as a pass- 
word; something you have, such as a card or USB 
token; and something you are, such as biometric in- 
formation.'^ Including multiple factors, especially from 
different classes, generally increases the security of 
the transaction. 

Creating a digital identity generally requires some 
form of "proofing," a pre-authentication step in which 
the user and the identity provider exchange other au- 
thenticators. This process sometimes involves off-line 
identities and sometimes involves, especially for high- 
er levels of security, an in-person interaction. If the au- 
thenticators used to prove identity are themselves in- 
valid, or the proofing process is otherwise inadequate, 
the resulting identity credentials will not be reliable. 

Underlying the second question, "What level of 
authentication should be required?" is the supposi- 
tion that different kinds of transactions should require 
different levels of authentication. Some observers be- 
lieve that certain online transactions, for example, ac- 
cessing a publicly available government website, can 
be permitted with no authentication, while others pro- 
pose that at least some identification should be part of 
every Internet transaction.^ Although, almost all tech- 
nical solutions and policy proposals involving iden- 
tity are based on the creation of levels of assurance 
(LOAs).^ LOAs rank networked systems according to 
the consequences of authentication failure and define 
authentication requirements at each level. Accessing a 
newspaper article, for example, surely requires fewer 
assurances of identity than accessing the control sys- 
tem of a nuclear reactor. Work has already been done 
to define LOAs for federal systems,' and private sector 
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identity initiatives have followed the government's 
four-level framework.^" However, what is lacking, cer- 
tainly in the private sector, is any agreement on what 
level of assurance is required for what type of transac- 
tion or access. To the extent that this lack of agreement 
leaves critical resources inadequately protected raises 
significant cyber security concerns as to why there has 
been a failure to adopt standard LOAs. 

To some degree, cyber security identity may ben- 
efit from developments in the e-commerce and social 
networking sectors, where identity and authentication 
are hot topics. Online service providers recognize that 
users dislike the complexity of maintaining multiple 
identities, and therefore providers want to streamline 
their identity processes. At the same time, advertisers 
and advertising platforms see huge benefit from link- 
ing online activity with offline or true name identity. 
As a result, multiparty efforts are underway to create 
identification systems that will work across sites,^^ and 
individual companies such as Facebook are stepping 
forward as universal commercial identity providers. 
Combining these efforts with cyber security efforts 
might have beneficial network effects such as the re- 
duction of complexity. However, these commercial 
solutions are not likely to have the proofing mecha- 
nisms or implementation security required to serve at 
high LOAs. 

Finally, authentication solution designers in the 
commercial context have to take into account user ex- 
pectations, since users may abandon services that fail 
to protect anonymity when users consider it integral 
to their use of the service.^* Attempts to apply cyber 
security authentication solutions at lower LOAs may 
face similar resistance. 
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Attribution: Determining Identity after a 
Transaction. 

Attribution is the analysis of information associ- 
ated with a transaction or series of transactions to try 
to determine the identity of a sender of a stream of 
traffic. Information collection and analysis is the fo- 
cus of attribution. Transaction design is also relevant 
to the extent that it can help assure the availability of 
information to analyze. 

The absence of an easy means of identifying the 
originator of malicious traffic gives rise to security 
policy concerns at multiple levels.^*' First, on a practi- 
cal level, the recipient of unwanted traffic is more lim- 
ited in its ability to respond to the problem if it cannot 
identify the sender of that traffic. That recipient may 
restrict further traffic from a given network source, 
for example, but will have to regroup if the sender 
re-routes his or her traffic. Second, as a matter of tort 
and criminal law, it is difficult to construct a legal case 
against a virtual interloper without attribution. 

Third, as a matter of international law, the laws 
of war demand both proportionality of response and 
minimization of damage to the property of non-ag- 
gressors and neutral third parties. Even if there were 
a legal understanding of what actions constituted "cy- 
ber war," the use of military force would be imper- 
missible under international law without the ability to 
determine the identity of the aggressor. Relatedly, an 
attribution deficit reduces the effectiveness of deter- 
rence as a policy for discouraging bad actors, whether 
criminal or governmental. American foreign policy 
relies heavily on deterrence in other warfighting spac- 
es. In cyberspace, a lack of attribution may handicap 
that reliance.^^ 
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Because attribution is a forensic discipline, the key 
problems revolve around the availability, collection, 
and analysis of information. There are multiple kinds 
of relevant information. Both the malicious code itself 
and associated communications metadata can offer 
hints as to the identity of the sender. Traffic routing 
information can help trace communications back to 
their starting point. Background intelligence can help 
contextualize transactional information. 

Traffic routing information is particularly impor- 
tant to attribution. Meticulous attention to content can 
often remove traces of identity, but no sender can es- 
cape the fundamental truth of routing: content has to 
be sent from somewhere. As we discuss below, Inter- 
net protocol (IP) addresses are a useful source of iden- 
tity information. However, some policymakers argue 
that Internet transactions do not offer enough infor- 
mation about routing and that changes in routing sys- 
tems and/ or networks must produce additional infor- 
mation for attribution.^^ Other experts warn, however, 
that network-level personal attribution is of limited 
forensic value. David D. Clarke and Susan Landau, 
for example, argue that, rather than issuing calls for 
better attribution on the network, applications should 
be designed that do a better job of integrating iden- 
tity and attribution when and only when it is actually 
necessary." 

Increasing the ease of attribution may have unin- 
tended consequences. Re-engineering traffic routing 
for all Internet transactions will challenge privacy and 
anonymity, including in situations in which privacy 
and anonymity are in the best interests of the United 
States and other democratic countries.^" In contrast, 
some regimes have demonstrated an interest in us- 
ing Internet attribution as a means of controlling dis- 
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sidents' access to information online.^^ In addition, if 
attribution solutions require Internet service provid- 
ers to invest more heavily in specialized hardware or 
software, they may indirectly raise barriers to entry 
for new Internet services. Increasing attribution may 
also substantially affect policy efforts aimed at giv- 
ing consumers greater control over the compilation 
of online profiles.^^ Weighing these consequences 
against the cyber security benefits is a critical task for 
policymakers. 

Authorization and Auditing: Security Issues 
beyond Authentication and Attribution. 

Although this chapter focuses on authentication 
and attribution, two other issues closely relate to 
identity and are critical elements of any secure sys- 
tem: authorization and auditing. Authorization is the 
process by which a given authenticated user identity 
is associated with a set of permissions. Authorization 
mechanisms are used, for example, to prevent the use 
of low-security accounts to access high-security infor- 
mation and controls. Policy interventions aimed at im- 
proving the technical security of authentication should 
not ignore the security of authorization mechanisms. 
Indeed, measures to improve authorization may offer 
some of the greatest benefits to cyber security at the 
least cost to other values. 

Auditing, meanwhile, refers to two processes. 
The first consists of reviewing a system periodically 
to ensure that it continues to function properly. The 
second consists of reviewing a system after it fails to 
determine what caused that failure. Keeping adequate 
system logs and reviewing such logs regularly and 
thoroughly is a critical security function. Unless sys- 
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terns are audited, many compromises will never be 
discovered or will not be discovered until it is too late. 

Though both authorization and auditing are im- 
portant, authentication and attribution pose especial- 
ly thorny policy questions and have been the focus of 
much recent debate. Accordingly, this chapter focuses 
on authentication and attribution as the key policy 
problems, although further examination of authoriza- 
tion and auditing is certainly justified. 

IDENTITY AND THE INTERNET: HOW 
AUTHENTICATION AND ATTRIBUTION WORK 
IN PRACTICE, AND WHAT CONCERNS 
CURRENT SOLUTIONS RAISE 

Identity on the Internet: How Parties Exchange 
Identity Information, and What Information They 
Exchange. 

The Internet is a physical network of intercon- 
nected hardware devices. Each device uses the same 
suite of protocols, including the IP, to communicate. 
To forward data, the network of data connections be- 
tween those physical devices relies on IP addresses — 
"logical" addresses — rather than any information 
about physical device type or location. This offers sev- 
eral benefits. One is that the individual networks that 
make up the Internet can interoperate without each 
one having to maintain an exhaustive list of the physi- 
cal location of every communications partner on the 
Internet. Instead, routing protocols allow networks 
to determine which logical neighbor is closest to the 
destination, and to pass data along to that device. Not 
until the last step does the recipient's physical location 
matter. Another benefit is that physical devices of all 
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kinds can join the Internet without having to adhere 
to a particular hardware specification. As long as a de- 
vice can run the protocols, it can exchange data with 
other devices. 

IP addresses are a key source of identity infor- 
mation exchanged with every Internet packet. As 
IP addresses are logical, not physical, they are not 
permanently tied to any particular user or machine. 
However, they do provide useful identity signifiers. 
Blocks of addresses are generally assigned to busi- 
nesses and Internet service providers (ISPs) and then 
leased to individual users. On its own, an IP address 
can often identify the country of origin and, depend- 
ing on how the owner of a block assigns addresses, 
perhaps a region, a city or neighborhood, or even a 
particular location. Moreover, at any given moment, 
every IP address in use is known by the ISP to be 
linked to a particular device or a particular physical 
address, which can be determined with the coopera- 
tion of the Internet service provider. Though the ISP 
may not always be able to map an IP address directly 
to an end-user device (e.g., when a user is connecting 
through a wireless router), it can point an investigator 
in the right direction. As a result, IP addresses can be 
very useful in locating the origin of traffic. 

The IP suite also requires that additional routing 
information be exchanged in Internet transactions. 
While this information does not relate directly to the 
identity of the transaction partners, it can be indirectly 
useful in identifying a sender. For example, packets 
contain a "time to live" (TTL) field, which counts 
down the number of routing hops that the packet has 
taken from source to destination. The TTL field can 
sometimes be useful in helping to determine how dis- 
tant the originator of a given stream of traffic is from 
his or her target. 
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The last type of information contained within al- 
most all Internet packets is content, which can also be 
useful in attribution. Individual packets of informa- 
tion may bear hallmarks of their origin or traces of 
data from their sender. Natural language contents may 
be written in a particular foreign language or show 
evidence of having been written using a language- 
specific keyboard layout. Exploits and other forms of 
malicious code may contain stylistic signatures associ- 
ated with a particular user or group. Analysis of such 
content, however, is inevitably ad hoc. 

Aside from these general sources of identifying in- 
formation available within all Internet traffic streams, 
there are also information sources specific to authenti- 
cated transactions. For example, many online services 
require their users to authenticate themselves, which 
often provides a reliable means of identifying commu- 
nicants. Generally, commercial services design their 
own authentication protocols. Given the many classes 
of services that require authentication— financial in- 
stitutions, merchants, and so on — there are many dif- 
ferent authentication protocols. The most common au- 
thentication paradigm for services involves setting up 
an encrypted connection to the user using a one-time 
key, requesting authenticators^* from that user to es- 
tablish identity, and then allowing the authenticated 
user access to the service. 

Authentication may be performed by a third par- 
ty (the issuing party), with credentials subsequently 
passed to the service provider (the relying party), or 
the service provider may perform the authentication 
itself .^^ In the first case (the "triangle model"), the rely- 
ing party redirects the user login to the issuing party, 
which authenticates the user and then returns a token 
establishing the user's credentials to use the service 
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provider site. One example of the triangle model is 
Facebook Connect, a service allowing users to lever- 
age their Facebook identifications (IDs) to log into oth- 
er sites. More sophisticated issuing parties may even 
handle authorization, returning a token that not only 
authenticates, but also specifies which services a user 
may use. In the second case, the service provider han- 
dles the authentication and authorization directly. An 
example of this bilateral model would be Apple's web 
services, which require that users establish accounts 
directly with Apple, and then authenticate directly to 
Apple itself. 

Entities that rely on identities issued by others 
possess the local account ID of the user — perhaps a 
real name, perhaps not— but not information about 
additional authentic at or s, such as passwords or infor- 
mation obtained through proofing. The issuing party 
possesses that latter information. Service providers 
who use the bilateral model have all the information 
collected during both the initial proofing step and the 
authentication step. 

Cyber Security Concerns: Problems with 
Existing Exchanges and Areas o£ Possible Policy 
Intervention. 

Authentication Concerns. 

Critical infrastructure is lagging in the adoption 
of secure authentication,^'' but this does not seem to 
be due to any technological issues. There appears to 
be general consensus that the available technologi- 
cal means of authentication are sufficiently secure to 
protect information.^^ Under that assumption, then, 
the most important policy issues in authentication 
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are ensuring that, first, critical infrastructure appro- 
priately adopts these technologies and, second, that 
critical infrastructure authorities properly implement 
these technologies to minimize the possibility of com- 
promise from human error. Adoption within critical 
infrastructure may be slowed by the lack of product 
metrics, the absence of agreement on what level of as- 
surance is appropriate for a given context, the dearth 
of information about cyber security risks and their 
costs, and poorly designed incentives for the adoption 
of improvements. Fundamental ease-of-use problems 
with identity technologies also exist, which may re- 
quire additional innovation. 

One barrier to adoption may be the absence of 
metrics surrounding the use of authentication tech- 
nologies. The average system administrator may not 
understand the relative merits of one technology or 
product over another. Product metrics that made 
comparison across technologies or products simpler 
could improve the ability of information technology 
(IT) professionals to understand tradeoffs. 

A second adoption barrier may be the absence of 
recognized levels of assurance for any given level of 
access or permission. Does a utility control system 
require more protection than a bank? Do different 
banking systems or functions require different levels 
of protection? If businesses knew which LOA was ap- 
propriate for a given system or function, they would 
have a common language with which to decide what 
level of security is appropriate. In turn, those levels of 
assurance can help make the creation of metrics easier 
as well, by allowing product security ratings to refer 
to LOAs.^^ To address these concerns, further work 
could be done to define appropriate LOAs for differ- 
ent private sector systems. In particular, LOAs that 
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are more granular than the existing four-level govern- 
ment LOAs might help to speed adoption, given that 
security needs have many different dimensions across 
the full range of American industry. 

A third potential barrier to adoption of authentica- 
tion technologies is part of a broader cyber security 
concern: information sharing. Owners and users of 
information infrastructure may not understand their 
own vulnerabilities.^'' Without additional informa- 
tion connecting security failures with their ultimate 
costs, companies are unlikely to invest in better cy- 
ber security, and, by extension, better authentication 
mechanisms. 

Finally, even with better information, institutions 
may not have proper incentives to invest in measures, 
such as better authentication, that improve cyber se- 
curity. Some contend that cyber security is a public 
good and that the private sector may routinely under- 
spend: the costs of security expenditures go directly 
to the bottom line, but the economic consequences of 
breaches are diffuse.^" Under this theory, unless more 
of the costs of security failures transfer to the institu- 
tions that fail to invest in security, adoption of authen- 
tication technologies will continue to lag. 

Convincing critical infrastructure to adopt appro- 
priate authentication measures is only part of the battle 
for better authentication. The designers of authentica- 
tion products also need to focus on making those mea- 
sures easy to use without reducing their effectiveness. 
Flaws in protocols and software implementations are 
sometimes used to foil authentication mechanisms, 
and authentication manufacturers, like all software 
manufacturers, need to address those issues as they 
arise. However, the bigger threat comes from user er- 
ror. Through the misappropriation of authenticators. 
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malicious actors can gain access to resources they are 
otherwise unauthorized to use. This information is of- 
ten exposed by the weakest hnk in the authentication 
chain: the individual user. 

One way to address this problem might be to in- 
crease the interoperability of credentials. When us- 
ers have a need to access dozens of online retailers 
and remote servers, each with its own authentication 
mechanism, the obvious temptation is to create mne- 
monics: either to duplicate authenticators across pro- 
viders (e.g., use the same username and password in 
multiple places) or to store authenticators in an easily 
accessible location (e.g., put passwords in a text file on 
a user's desktop). Such mnemonic solutions weaken 
the strength of authentication measures. If malicious 
actors can steal lists of authenticators from systems 
with weak protections or pull a stored list of authenti- 
cators off a user machine, they can use the authentica- 
tors to compromise a high-security target. It is easier 
to avoid mnemonics when a user authenticates to a 
single identity provider, and that provider in turn of- 
fers the user's credentials to each relying party. On the 
other hand, the compromise of an authentic ator used 
across multiple services can have widespread conse- 
quences. Too much centralization can be as dangerous 
as too little. As noted above, the commercial identi- 
ties most likely to develop toward interoperability 
are unlikely to be useful in truly sensitive contexts. 
It is important, therefore, that interoperable systems 
intended to address these problems are implemented 
properly: technically secure, privacy-protective, and 
with appropriate provisions for multiple providers 
and for anonymous and pseudonymous identification 
at low LOAs.32 
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The most important ease of use concern, how- 
ever, may be reducing the possibility of compromise 
through social engineering and other forms of intel- 
ligence collection. Social engineering — the act of ma- 
nipulating users into turning over confidential infor- 
mation such as authenticators — is a key component 
of many attacks on authentication mechanisms. By 
socially engineering users or otherwise collecting in- 
formation on those users, malicious actors obtain or 
recreate those users' authenticators without having 
to crack the authentication system itself. Striking the 
proper balance between usability and security is a key 
part of ensuring that authentication measures provide 
the expected amount of security.^^ 

Attribution Concerns. 

Even though IP addresses can help to determine 
physical location in many cases, they often fail to map 
traffic to a physical identity. Moreover, malicious ac- 
tors have developed techniques that allow them to 
obscure their logical identity when sending traffic to 
a target. Such techniques include identity-stripping, 
multistage attacks, and multistep attacks. In order to 
battle these techniques, attributors would need addi- 
tional information. This information could come from 
two sources: the collection and sharing of existing in- 
formation between networks on the larger Internet, 
and the creation and collection of additional informa- 
tion connecting both logical and physical identities to 
incoming traffic. 

Although IP addresses can be helpful in narrowing 
down a communicant's location, an Internet-facing 
IP address does not easily map to a particular user. 
In various situations, users connect to the Internet 
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through systems using Network Address Translation 
(NAT). Such systems pool traffic on an internal net- 
work and stream it out to the Internet using a single 
Internet-facing IP address. These systems may or may 
not retain a history of the devices that used the service. 
Users can also move from local system to local system 
while continuing to communicate with a traffic recipi- 
ent, which provides another way to change their IP 
addresses. Even when records from the right location 
at the right time can be found, they are likely to map 
only to a physical hardware address, not a physical 
user identity.^^ 

Sophisticated malicious actors take steps to make 
attribution through logical addresses even more 
difficult. When a given attack does not depend on 
two-way communication, as when a malicious actor 
attempts to shut down a system by flooding it with 
traffic (a distributed denial of service attack [DDoS]), 
that sender may work to remove IP addresses from 
incoming packets to stymie efforts at attribution. At 
that point, attributors must trace step-by-step back 
through packet logs that may or may not exist, and 
that are often not on machines controlled by the re- 
cipient, in order to find the packets' origin. 

Even when an attack does require two-way com- 
munication, a sender may disguise his logical identity 
in other ways. Multistage attacks, for example, route 
through large numbers of servers and/ or through 
networks of compromised computers (botnets). By 
issuing commands with several intermediate recipi- 
ents between source and destination, the control- 
ler again requires a prospective attributor to trace 
control information back through those routes. That 
path will likely include machines that are not part of 
the recipient's network and that are beyond the easy 
reach of investigators in the country where the recipi- 
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ent resides. Many multistage attacks also take place 
in several temporally distinct steps. In other words, 
over a long period of time, individual machines may 
be compromised, and the resident malicious software 
will lie dormant until activated by a controller. Such 
multistep attacks can make finding the original send- 
er even more difficult, because information required 
to trace the traffic back to its origin may not have 
been retained. 

These malicious techniques rely on the proposi- 
tion that tracing traffic through multiple networks is 
difficult. One possible policy intervention, then, is to 
increase the ease with which data are shared between 
networks and between machine owners. However, 
the number of entities that potentially hold relevant 
routing data is very large, consisting of essentially 
every computer connected to the Internet. Creating 
a trusted network for information sharing even just 
among the community of ISPs has not proven feasible 
yet, especially when service providers are in different 
countries. " [CJooperation among institutions that pos- 
sess this data has been slow to emerge" for a number 
of reasons. 

As with the slow adoption of authentication mech- 
anisms, incentives may be part of the problem."*^ Those 
who possess relevant data may not suffer enough di- 
rect damage to make information sharing a priority. 
Legal barriers to information sharing between ISPs 
may also play a role. ISPs may fear that sharing such 
information will run afoul of federal laws on the pri- 
vacy of communications data.^^ Cautious legal counsel 
may advise against testing the boundaries of the law. 
Finally, there may also be technical barriers. Some 
routers may not currently possess the capabilities 
required to store traffic information for a significant 
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length of time, or to perform more advanced monitor- 
ing of traffic. 

Once domestic barriers are addressed, the more 
challenging problem of sharing traffic information 
across international borders remains. Law enforce- 
ment agencies such as the Federal Bureau of Inves- 
tigation (FBI) do work across borders to track cyber- 
criminals, and several Western nations have ratified 
the Budapest Convention, a framework for sharing 
information related to online crime.^'' However, at- 
tempts to create a legal framework that reaches more 
countries and covers a wider range of cyber security 
incidents have not progressed.^" Cyber attacks cross 
and re-cross borders before reaching their targets. So 
long as some nations fall outside the network of coop- 
eration, attribution may not be able to proceed further 
than determining a country of origin. 

Going beyond attempts to increase information ex- 
changes, policies could also attempt to create entirely 
new information trails. The simplest means of doing 
so would be to implement some of the authentication- 
oriented changes discussed in the previous section. 
Attribution is only possible where there is information 
to audit; instituting new and stronger authentication 
and authorization mechanisms with associated audit- 
ing capabilities and deploying them to critical systems 
creates that information. Building attribution capabili- 
ties into authentication systems is part of the classic 
network identity and security paradigm known as 
authentication, authorization, and accountability 
(AAA).^^ Computer security experts use authentica- 
tion mechanisms to establish the acceptability of an 
identity and authorization mechanisms to associate 
it with actions. Then, through an accounting and log- 
ging system, these mechanisms provide records for 
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investigators to retroactively check that identity's use 
of the system — in other words, to attribute actions. 

More fundamental technological changes might 
include generating more information about traffic as 
part of the routing process, linking logical identity 
more tightly to traffic, and even tying physical iden- 
tity to logical identity through some sort of registra- 
tion process. All of these methods would create at 
least some additional information useful to attribu- 
tors, but the barriers to uniform global cooperation 
are very high, and the associated technologies could 
also be subverted by sophisticated malicious actors. 
Putting such changes into place, though, would also 
have moderate-to-severe consequences. 

PROPOSED SOLUTIONS TO CYBER 
SECURITY IDENTITY PROBLEMS: 
WEIGHING THE OPTIONS 

Suggestions for solving cyber security identity 
problems are numerous. This final section lays out 
some proposals that have been raised in various leg- 
islative, technical, and diplomatic forums: first those 
aimed at authentication issues and then those aimed 
at attribution issues. This section briefly discusses 
some of the strengths and weaknesses of each pro- 
posal and also sheds light upon any significant effects 
that policy interventions may have in areas beyond 
cyber security. Ultimately, the section concludes that 
authentication-oriented proposals are more likely to 
create substantial security benefits and less likely to 
result in undesirable consequences for other values 
than attribution-oriented proposals, and that policy- 
makers should strongly consider less coercive means 
of increasing the uptake of successful authentication 
technologies before turning to regulatory solutions."*^ 
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Authentication-Related Policy Proposals. 

• Specify or improve cyber security standards, 
levels of assurance for private-sector systems, 
and/or metrics for authorization products. The 

creation, improvement, and adoption of secu- 
rity standards and metrics for both systems and 
products can help prioritize the deployment of 
strong authentication where it is most needed. 
Such standards could be developed through 
various processes, involving more or less gov- 
ernmental involvement, and their adoption 
could be promoted by a variety of means. The 
White House has suggested that a federally 
guided process for developing LOAs and met- 
rics would help fill important gaps.''^ 

Withoutprioritization,anymovementtoward 
greater authentication could be chaotic, so 
better-defined LOAs and metrics would 
help focus efforts toward securing critical 
infrastructure first. Ideally, standards and 
metrics would be industry-created, given 
the superior understanding of authentica- 
tion system design in the private sector. 
Government-created standards or metrics 
run a risk of ossifying authentication system 
design because of their potential inflexibility. 
Given the information deficit in the private 
sector regarding the nature of the cyber se- 
curity threat, however, government collabo- 
ration in standards design in some capacity 
seems appropriate. 
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Mandate authentication mechanisms for criti- 
cal infrastructure. It may not be sufficient to 
wait for owners to comply voluntarily with 
suggested government levels of assurance.*^ 
Multiple cyber security bills put forward in 
in a recent session of Congress considered the 
imposition of regulatory standards on critical 
infrastructure systems, authority that could en- 
compass standards for authentication.^^ 

Regulation may be capable of pushing 
strong authentication standards onto critical 
infrastructure farther and faster than merely 
voluntary standards and LOAs, assuming 
that the designated regulator issues regula- 
tions in a timely manner and with sufficient 
specificity. At the same time, regulation in 
highly technical areas like information secu- 
rity can slow innovation and hold back the 
adoption of new and better security mecha- 
nisms. Moreover, before critical industries 
can be regulated, they must be defined; some 
of the recent bills are vague on what systems 
should be covered.^^ 

Separately, the mandating of authentication 
may stifle both innovation and free speech 
rights unless "critical infrastructure" is care- 
fully delimited. While multif actor authenti- 
cation may be desirable for some factories 
and power plants, it is inappropriate for the 
government to demand that many other net- 
worked systems, such as communications 
networks, authenticate their users. Anonym- 
ity is a core free speech value,"*^ and main- 
taining the right to anonymity in online com- 
munication is critical to keeping that right 
vital in the digital age. 
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Increase the costs to various parties of breaches 
caused by the failure to take sufficient security 
measures. Increasing the costs of an avoidable 
security failure to the responsible ISP, network 
service provider, security software provider, or 
system operator would increase those parties' 
willingness to take steps to improve authenti- 
cation. Cost increases could come in the form of 
regulatory fines for breach or in tort damages to 
affected parties. Legal scholars have suggested 
various ways to shift cost.*^ 

As a practical matter, such approaches may 
be difficult to implement because of the 
complexities of determining causation in 
cyber security breach cases,^'' as well as the 
difficulties of defining a standard of care. 
These uncertainties, compounded by in- 
nate difficulties in predicting outcomes in 
the court system or in regulatory processes, 
may also cause innovation in security tech- 
nologies to slow as service providers choose 
only those technologies that are court- or 
regulator-approved. 

Enhance federal compatibility with com- 
mercial identity infrastructure. It has been 
proposed that security in the consumer and 
e-government contexts could improve by en- 
hancing the interoperability of identity. This is 
a major theme of the draft National Strategy for 
Trusted Identities in Cyberspace (NSTIC).^° 
While the NSTIC is premised on the 
principle that the private sector should have 
the lead in the development of identities for 
access to online services, the federal gov- 
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ernment might be able to speed adoption 
of interoperable credentials by relying on 
commercially issued identities for authen- 
ticated transactions with government agen- 
cies. The White House strategy recognizes 
that over-centralization of identity data 
poses privacy risks. Among other things, 
identity providers could have a broad win- 
dow into online behavior. The White House 
proposal calls for an identity ecosystem that 
would allow users to move freely between 
identity providers.^^ 

Attribution-Related Policy Proposals. 

• Improve domestic sharing of cyber attack-re- 
lated information. Attack traceback is a critical 
component of attribution and of information- 
sharing facilitates that traceback. The sharing 
of cyber security information between ISPs and 
other network operators in the United States is 
thus an important step in malicious code analy- 
sis and attack prevention, not least because it 
pools information about attacks that can lead 
to attribution. The major service providers and 
network backbone providers already share 
some information, but have floated proposals 
that would allow them to share more.^^ 

Improving information sharing may require 
amendments to existing electronic privacy 
laws, and creating or expanding cyber se- 
curity information-sharing exceptions will 
inevitably pose privacy concerns. Narrowly 
tailoring any new exception could help to 
minimize the impact on privacy. 
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Improve international sharing of cyber attack- 
related information. Information sharing is es- 
pecially important when international traffic is 
involved; sharing across borders is the only re- 
liable way to attribute traffic to foreign end us- 
ers. The Budapest Convention on Cybercrime 
recognizes this importance: of the seven articles 
that contain specific obligations for parties, six 
require cooperation in data retention and infor- 
mation sharing, and the seventh requires a 24- 
hour point of contact for data requests. How- 
ever, implementation to date has been limited; 
even between signatories, sharing is not swift 
or guaranteed.^* Broader ratification of the con- 
vention and the adoption of a protocol giving 
more specificity to information-sharing obliga- 
tions might help. 

However, internationalinformation-sharing 
frameworks that are not carefully designed 
or do not include adequate standards risk 
both inadvertent or unjustified sharing of 
Americans' private data with overseas enti- 
ties and the possibility that American com- 
panies may need to participate in enforcing 
foreign laws in contravention of U.S. foreign 
policy goals. Since a large percentage of 
the world's Internet traffic passes through 
the United States, a large share of the bur- 
den of improved information sharing might 
fall on U.S.-based service providers. In a 
larger national security framework, rules 
that guaranteed information sharing could 
undesirably tie American hands, given our 
reported advantages in cyber offense and 
cyber exploitation.^^ 
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Institute IP traceback mechanisms on a vol- 
untary or mandatory basis. Some technologi- 
cal solutions to the attribution information 
deficit have been discussed. One set of solu- 
tions involves the implementation of IP trace- 
back mechanisms, which require routers and/ 
or other intermediaries between the sender and 
recipient of a stream of traffic to send signals 
periodically to the recipient. In theory, the re- 
cipient will ultimately hear from many points 
along the path that the traffic has traveled, 
which will assist in reconstructing the path 
from source to destination. 

There have been a number of proposals for 
performing IP traceback without redesign- 
ing fundamental network protocols.^*' As of 
May 2008, a working group at the Interna- 
tional Telecommunications Union (ITU) was 
attempting to create a unified IP traceback 
standard for telecommunications equip- 
ment manufacturers.^^ The intermediary 
use of ITU-standards-compliant routers is 
voluntary. A regulatory process for critical 
infrastructure, as proposed in some cyber 
security bills, could make it mandatory on a 
domestic basis but, as with other solutions 
requiring cross-border implementation, the 
problems of international adoption remain 
daunting. Also, IP traceback mechanisms be- 
yond simple logging have seen only limited 
use in the real world. They may be highly 
effective or trivially avoidable. 

To the extent that IP traceback is effective, it 
would provide a powerful tool to attributors. 
It will also present a barrier to the privacy 
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and anonymity of users vis-a-vis both gov- 
ernments and ISPs. While not as dangerous 
as full-on authentication for all communica- 
tions networks, IP traceback still provides 
intermediaries with enough technical know- 
how a way to trace "undesirable" speech. 
This would be a powerful tool for govern- 
ments interested in tracking and stifling 
dissenters. 

For example, as the recent revolutions in 
Egypt and Libya demonstrated, the Internet 
is invaluable for organizing and for circum- 
venting government control of other com- 
munications channels.^^ One critical com- 
ponent of dissidents' online activities has 
been the use of tools designed to circumvent 
government surveillance, many of which are 
financed, in part, by the U.S. Government.^^ 
Traceback mechanisms threaten the use of 
those tools and the safety of those activists. 

Readdress the Internet along geographical 
lines. As the Internet moves from an older 
version of the IP (IPv4) to a newer one (IPv6), 
there may be an opportunity to map logical ad- 
dresses more closely to physical addresses. The 
larger address space of IPv6 may make it easier 
to permanently associate some subset of physi- 
cal devices with fixed logical addresses. It also 
provides a rare chance to reconsider the proce- 
dures for assigning addresses. At least one ITU 
proposal has suggested that IPv6 addresses 
be assigned along geographical lines.^° Again, 
achieving consistent international implemen- 
tation seems unlikely, especially when certain 
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government agencies themselves would likely 

resist being reliably identified. 

Pinning logical addresses to devices and/ or 
assigning them geographically would assist 
in attribution, although careful safeguards 
would have to be in place to avoid the falsi- 
fication of addresses (spoofing). Any strong 
link between IP and physical devices might 
assist in the persistent tracking of the user of 
that device, even over multiple Internet ses- 
sions, which raises privacy and free speech 
concerns similar to those discussed in the 
previous section. 

Engineer more identity information into pack- 
ets. Some technologists have also proposed 
redesigning the IP or other base protocols to 
carry more reliable identity information about 
the sender within each packet. The simplest 
proposals in this area merely attempt to alter 
routing information to make spoofing of logical 
addresses more difficult.''^ Others add device- 
identifying signatures directly to each packet.^^ 
Some policymakers have even implied that 
each packet should link to identity information 
about the user rather than that user's device, 
presumably through some sort of authentica- 
tion mechanism.^^ 

Technologists argue that user-focused 
proposals, in particular, are only marginally 
helpful in solving attribution problems.^^ 
Both user- and device-oriented changes to 
IPs raise market action, innovation, and 
civil liberties issues. Only heavy subsidies or 
heavy regulation will persuade institutions 
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and individuals to give up their existing 
Internet devices. Any Internet-like network 
that has identity-storing gatekeepers is also 
a network with significantly higher barriers 
to entry for innovators, who may now need 
permission to operate their online services. 
Such a network would make anonymous 
speech much more difficult and sharply re- 
duce online privacy. 

After examining all of these proposals in the con- 
text of their security effects and their effects in other 
realms, it is clear that there are two major differences 
between the class of attribution-oriented proposals 
and the class of authentication-oriented proposals. 
First, the civil liberties impacts of many of the attribu- 
tion-oriented proposals may be heavy — the technical 
proposals, in particular, impact privacy, free speech, 
and anonymity both at home and abroad— while the 
civil liberties impacts of the authentication-oriented 
proposals, if appropriately restricted to critical infra- 
structure, are lighter. Second, the attribution-oriented 
proposals address both the creation and deployment 
of new and unproven technologies, while the authen- 
tication-oriented proposals focus mostly on deploy- 
ment alone, because existing authentication technolo- 
gies are largely proven. 

This suggests that given limited resources, policy- 
makers should focus heavily on authentication-orient- 
ed policies as the more effective option for addressing 
the cyber security identity information deficit. These 
policies rely on established successful technologies 
rather than on unproven changes to the fabric of the 
network, and they carry fewer ancillary concerns for 
other national values such as civil liberties and in- 
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novation. This is so, in large part, because they can 
target where needed rather than requiring broad- 
based deployment across communications networks, 
and therefore the civil liberties penalties fall largely 
on the limited subset of users who access critical sys- 
tems rather than the full spectrum of Internet users. 
Moreover, authentication improvements can also help 
address attribution concerns as they relate to critical 
systems — as part of the AAA model of identity and se- 
curity, authentication can provide the basis for better 
auditing, which in turn can drive better attribution. By 
ensuring the deployment of state-of-the-art authenti- 
cation technologies to critical systems, policymakers 
may also be able to eliminate a substantial portion of 
the attribution problem. 

Separately, there is a follow-on question as to the 
right mix of incentives for deploying authentication 
technologies. Striking the right balance between fi- 
nancial incentives, regulatory commands, and collab- 
orative government-industry standards-setting and 
research should be the key concern of policymakers. 
Given the potential economic consequences of the top- 
down regulatory approach that can backfire, legisla- 
tors should promote incentives and collaboration as 
an alternative to regulation where possible. 

CONCLUSION 

Addressing the identity problems associated with 
cyber security requires policymakers to distinguish 
among the various functions of identity technologies, 
including authentication and attribution. Many pro- 
posed solutions aimed at improving online identity 
for cyber security purposes would impinge on other 
values. As a result, any attempt to intervene in online 
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identity technologies will demand a careful balanc- 
ing of costs and benefits, with serious consideration 
given to that intervention's impacts upon civil liber- 
ties, economic freedom, technological innovation, and 
global discourse. After considering these issues in this 
more global context, policymakers will find that de- 
ploying better authentication technologies to critical 
infrastructure is the best first step in cyber security 
identity policy. 
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CHAPTER 7 


EXPLORING THE UTILITY OF OPEN SOURCE 
DATA TO PREDICT MALICIOUS SOFTWARE 
CREATION 

George W. Burruss 
Thomas J. Holt 
Adam M. Bossier 

A version of this chapter was presented at the an- 
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in 2009 in Philadelphia, PA, and at the Department of 
Defense Cybercrime Conference in 2010 in St. Louis, 
MO. The authors thank Joseph K. Young of Southern 
Illinois University, Carbondale, for his helpful sug- 
gestions about an earlier draft of this chapter. 

INTRODUCTION 

The information security community has devel- 
oped a variety of tools to identify and defend against 
malicious software, though few in the social sciences 
have explored the environmental and social factors 
that may affect the creation and distribution of mal- 
ware. This is due in part to the dearth of available data 
on the country of origin of malicious software develop- 
ers and the volume of tools created by hackers across 
the world. Open source malware repositories exist in 
online environments, though it is not clear how valid 
or reliable this information may be to understand the 
scope of malware. This chapter explored the value of 
open reporting for malware creation and distribution, 
and considered how this information may combine 
with other measures to explore the country-level eco- 
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nomic, technological, and social forces that affect the 
likelihood of malware creation. The findings will im- 
prove our understanding of the value of open source 
data and the prospective influences of macro-level 
computer crime and hacking in a global context. 

Although studies of cybercrime have grown ex- 
ponentially over the last 2 decades, there are multi- 
ple issues regarding the validity and generaliz ability 
of cybercrime data.^ In general, official data on most 
forms of cybercrime are non-existent, inadequate, or 
inaccessible to the public.^ Though various entities in 
the private sector collect information on certain cyber- 
crimes, malware trends, and specific attacks, they may 
be unwilling to share that information with research- 
ers because of proprietary methods or information that 
may be lost.^ Therefore, most social science scholars 
interested in the phenomenon of cybercrime collect 
primary data, often from college students, to under- 
stand the scope and predictors of both participation in 
cybercrime and experiences with victimization. These 
studies provide useful information on various forms 
of cybercrime and cyber deviance, such as digital pira- 
cy,* online harassment,^ and minor forms of computer 
hacking.* These populations do not, however, appear 
to engage in the creation of malicious software or 
more serious forms of computer hacking, which limits 
our understanding of these phenomena.'' 

For those interested in studying cybercrime at the 
macro level, data collection and aggregation challeng- 
es are even more complex. Cross-national compari- 
sons of crime have been problematic for the study of 
traditional crimes, since official crime statistics are not 
available or reliable for many non-Western nations.* 
In addition, reporting crime to law enforcement agen- 
cies is not consistent across the world, creating pockets 
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of underreporting. Finally, behaviors are defined and 
criminalized differently across countries and regions. 
For example, N. L. Piquero and A. R. Piquero explain 
that the East and West view intellectual property dif- 
ferently.^ Developing nations that have desires for 
continued economic and technological growth may 
have no interest in passing and/ or enforcing legisla- 
tion protecting intellectual property, as this would 
otherwise hinder growth and development. As a 
consequence, cross-national research often examines 
more traditional and consistently operationalized of- 
fenses such as homicide, using data collected by inter- 
national nongovernmental agencies.^" 

One way that researchers may move beyond 
the data aggregation issues affecting cybercrime is 
through the use of data developed in online environ- 
ments such as web forums, bulletin board systems, 
and archival websites.^^ The emergence of the Internet 
enables significant social interactions between indi- 
viduals across the globe, whether through real-time 
communications via email, or instant messaging, or 
asynchronous methods like blogs and texts. As a con- 
sequence, researchers can mine these data sources for 
information to understand cybercrime better, much 
the same way as traditional ethnographic research on 
criminal behavior in the real world. 

In particular, there are websites that act as online 
repositories that maintain information on the discov- 
ery and description of malicious software and attacks 
against various resources. Individuals in the hacker 
community often discuss the tools and resources they 
find with others in forums and chat rooms in order to 
gain social status or respect from their peers.^* Sharing 
resources may also help elevate an individual's rep- 
utation in the digital underground by demonstrating 
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their skill and ability.^^ Furthermore, the computer se- 
curity community maintains open source repositories 
of vulnerabilities and exploits — identified in various 
outlets — to improve awareness of security trends, 
thereby increasing overall levels of security.^*' 

As a consequence, examining these sites can pro- 
vide practical secondary data sets for social science 
researchers to understand the potential distribution of 
malware creators across the globe, the complexity or 
functionality of these tools, and the influence of var- 
ious social factors on cybercrime at the macro-level. 
Data from these repositories can help fill the void left 
by the lack of reliable and accessible data by the gov- 
ernment and private sectors. In addition, these repos- 
itories neither rely on governments to report data nor 
on individuals within a country to report the offensive- 
ness or victimization that has occurred in that coun- 
try. Instead, interested parties from other countries 
who have made discoveries can provide information 
on that software, alleviating many of the problems de- 
scribed and identified in Piquero and Piquero's study 
of software piracy, regarding cultural definitions of 
intellectual property and their willingness to protect 
it.^'' Given the increasing availability and prolifera- 
tion of open source repositories for information about 
cybercrimes and attacks in online environments, this 
study utilized a sample of data developed from one 
such repository to examine the macro-level predictors 
of malicious software creation. 
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LITERATURE REVIEW 


The Problem of Malware. 

Malicious software systems, or malware, include 
computer viruses, worms, and Trojan horse programs 
that can alter functions within computer programs and 
files, thus enabling attacks against a massive number 
of targets. Viruses can conceal their presence on com- 
puter systems and networks, and can spread via email 
attachments, downloadable files, instant messaging, 
and other methods. Trojan horse programs also of- 
ten arrive via email as a downloadable file or attach- 
ment that people would want to open, such as photos, 
videos, or documents with misleading titles such as 
"XXX Porn" or "Receipt of Purchase." When the file is 
opened, it executes some form of malicious code.^' In 
addition, some malware is activated by visiting web- 
sites, which exploit flaws in web browsers.^" Though 
worms do not involve as much user interaction as 
other malware because of their ability to use system 
memory and to self-replicate, humans can facilitate 
their spread by simply opening emails that have the 
worm code embedded in the file.^^ 

The losses associated with malicious software in- 
fections and theft are massive, due in part to the costs 
to remove these programs from a network, declines 
in productivity among employees and computer 
systems, and customer apprehension about compro- 
mised web pages or online resources.^^ For example, 
U.S. companies who participated in a recent Comput- 
er Security Institute study reported losing an average 
of $40,000 per respondent due to viruses and $400,000 
due to another form of malware called botnet infec- 
tion.^^ Furthermore, the risk of malicious software is 


187 


difficult to mitigate, as almost 25 percent of personal 
computers around the world use a variety of secu- 
rity solutions that have malware loaded into their 
memory, compared with 33.28 percent of unprotected 
systems.^'' Thus, malware infection poses a significant 
threat to Internet users around the globe. 

Despite the significant role and utility of mali- 
cious software in cybercrime, there is generally little 
research examining the creators or developers of mal- 
ware. Individual-level studies suggest that the crea- 
tors of malware tend to be lone hackers or individuals 
working in small groups to produce the tools that can 
be used for financial theft, fraud, or as an instrument 
to facilitate greater access to computer systems and 
networks for subsequent attacks.^^ Explorations of the 
hacker community indicate that hackers exist within 
a subculture that values profound and deep connec- 
tions to technology.^^ This subculture is also a meritoc- 
racy where others are judged based on their capacity 
to utilize computers in unique and innovative ways.^^ 
Access to computer hardware, software, and Internet 
connectivity varies by place, though there is evidence 
to suggest hacker communities are present in areas 
across the emerging world, including North Korea, 
Central America, and Northern Africa. Thus, one 
need simply obtain access to computer technology in 
order to participate within this community. 

Hackers are also driven by a variety of motives, 
particularly status, ego, cause, entry into social groups, 
and, most notably, economic gain.^^ Hackers also have 
shifting ethical beliefs about hacking, which concern 
the consequences of their actions, as demonstrated by 
their willingness to share hacking, tools and sensitive 
or fraudulently obtained information in public out- 
lets online.^" Thus, developing and releasing a highly 
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functional program like a virus, worm, or Trojan horse 
is a sensible act for a hacker, because he or she may 
gain respect and status among others, and capitalize 
on these programs to generate a profit. 

Despite the significant risks of hackers and mal- 
ware to all individuals connected to the Internet, no 
agreement has been reached worldwide on the best 
strategies to curtail these problems. For example, the 
U.S. Computer Fraud and Abuse Act can be used 
to prosecute the distribution of malicious software 
through "any computer connected to the Internet, re- 
gardless of whether the computers involved are locat- 
ed in the same state."^^ Similar statutes, or models for 
statutes, such as the United Kingdom (UK) Computer 
Misuse Act and the Council of Europe Convention on 
Cybercrime, are in place in industrialized nations to 
prosecute malware writers and distributors.^^ Emerg- 
ing industrial nations, however, are less likely to have 
developed legal guidelines related to malware and 
other forms of cybercrime.^^ As a result, there are now 
legal safe havens where malware writers and hack- 
ers can operate with minimal risk of extradition and 
prosecution.^'' For instance, individuals sell services to 
host malicious software and pornographic materials 
in Malaysia and other parts of Southeast Asia, where 
there are fewer legal risks for the buyers, sellers, and 
operators.^^ 

THEORIZING THE STRUCTURAL 
CORRELATES OF MALWARE CREATION 

Though scholars are starting to learn more about 
hackers and their subculture, little research exists on 
the macro-level factors that provide a supportive mi- 
lieu for individuals to develop malicious software. This 
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is problematic, considering that evidence suggests a 
great deal of modern malware is created and used by 
computer hackers in foreign countries, particularly 
China, Russia, Brazil, and Eastern Europe.^'' Few have 
considered what technological, economic, or social 
conditions engender the development of malware in 
these nations, and little to no research considers what 
forces constrain malware creation. This is a particular- 
ly significant issue, given the changing landscape of 
technology and the economic and social conditions re- 
lated to access to the Internet and computer resources. 
As a consequence, it is unclear what factors encourage 
or hinder malicious software production. 

For example, the gross domestic product (GDP) of 
a nation may have a significant influence on the level 
of malware produced by a given nation. Specifically, 
as the economy of a nation improves, this will increase 
the proliferation of technological infrastructure and 
resources, which may increase the capacity for actors 
to become part of the larger international hacker com- 
munity. Countries with poor economic conditions in 
comparison to other countries may have less access to 
high-speed Internet connectivity and powerful com- 
puter technology, diminishing the resources available 
to hackers.^^ A strong economy may also foster a com- 
petitive and stable educational system in which com- 
puter skills are taught, thus providing a larger labor 
force with more advanced skills. As long as there is 
economic growth and stability, individuals with com- 
puter skills and training should have access to legiti- 
mate jobs within the information technology service 
sector where many hackers find legitimate employ- 
ment. Developing nations appear to have an interest 
in creating and using malicious software that can be 
applied in information-warfare campaigns against 
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rival nations.^^ Such attacks can be performed with 
minimal economic investment and low risk of attri- 
bution to the originating nation, thereby increasing 
their overall efficiency. Thus, it is hypothesized that, 
as GDPs increase, countries become more suitable en- 
vironments for hackers and the creation of malicious 
software. 

In addition, the number of Internet hosts available 
in a nation may play a critical role in enabling hackers 
to create and distribute malware. The global connec- 
tivity afforded by the Internet engenders hackers to 
identify and use resources created by different entities 
around the world. At the same time, research has 
noted that substantial hacker communities in Russia, 
China, and Turkey often utilize web resources created 
and hosted within their nations as a means of limit- 
ing access to outsiders. Thus, if a nation has a larger 
number of web-hosting resources available, there may 
be greater opportunities to develop, promote, and 
share malware and hacking information to their fel- 
low countrymen. This suggests Internet hosting may 
have a positive impact on the creation of malware. 

A country's political system may also influence the 
production of malware. In theory, one would speculate 
that democratic or representative government struc- 
tures, which provide fewer restrictions on individual 
behavior, would be more likely to encourage innova- 
tion and creative efforts. As a consequence, hackers 
could work covertly to develop resources with less 
fear of brutal reprisals from the government.^^ How- 
ever, democratic countries are generally where intel- 
lectual property originates, and thus has some of the 
most stringently enforced intellectual property laws.^^ 
In addition, totalitarian regimes have historically al- 
lowed hackers to attack victims in other nations and 
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have employed or exploited hackers as a means to at- 
tack competing democracies.^^ For example, there are 
a number of reports indicating that hackers with ties 
to the Chinese military or government have engaged 
in attacks against the United States and other nations 
in order to steal sensitive information.*'' Since the iden- 
tification of individual hackers is difficult, countries 
can target their enemies through individual hackers 
without fear of political reprisal. Thus, it is hypoth- 
esized that malware will be more often created and 
utilized in countries with totalitarian regimes than in 
democratic nations with more political rights. 

The ethnic and religious composition of a nation 
may also affect what countries are more likely to host 
the creation of malware, but it might affect it on a case- 
by-case basis. Specifically, a substantial mix of ethnic 
groups or religions within a nation may cause civil 
unrest and lead to attacks against different groups 
within that nation. A predominant ethnic identity 
within a nation may lead a minority group to utilize 
hacks and malware as a force multiplier against the 
government.*^ This is evident in Sri Lanka, where an 
offshoot of the group the Tamil Tigers uses hacking 
techniques as a means of disrupting government oper- 
ations.*'' However, a homogeneous population might 
simply aim its attacks outwardly rather than inward- 
ly. For example, Turkish hackers frequently attack 
targets outside of the borders of their Muslim-major- 
ity nation.*^ Thus, it is unclear what effect ethnic and 
religious compositions may have, if any, on malware 
production. 
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THE PRESENT STUDY 

Despite the significant problems posed by malware, 
there is Httle research examining the economic, techno- 
logical, and social factors that may affect its creation. 
In this chapter, we propose that online repositories 
containing data on malicious software can be valuable 
to study the macro-level correlates of malware crea- 
tion. If fruitful, this would provide researchers with 
an additional avenue to study malware specifically 
and cybercrime generally. Some prospective hypoth- 
eses can derive by considering the extant literature on 
computer hackers and technology adoption. Specifi- 
cally, environments will be more suitable for the crea- 
tion of malicious software as GDP and Internet hosts 
increase in countries governed by regimes that limit 
political rights. It is unclear how ethnic and religious 
composition will relate to malware creation. Adopt- 
ing a similar strategy used by K. Drakos and A. Gafos 
in their study of transnational terrorists attacks,''^ this 
study explored the global variation in the production 
of malicious software through a zero-inflated negative 
binomial regression (ZINB). In this way, this chapter 
contributes to the literature by developing an empir- 
ical profile of country-level variables that can predict 
malicious software production while illustrating the 
usefulness of open source repositories. 

DEPENDENT VARIABLE 

The data for the dependent variable used for this 
study (MALWARE) came from an open source mal- 
ware repository where individuals could post infor- 
mation obtained on malicious software, either because 
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the individual created a program or identified it in the 
wild.'''' This open source repository provided self-re- 
ported information on malware around the globe. 
In order to report information to the website, an in- 
dividual would send an email detailing the tool with 
as much information as possible to the site's director. 
This repository has been in existence for some time, as 
it maintains records on malware going back to 2001. 
Such information would suggest the repository had 
some recognition in the computer underground and 
was reputable. It is, however, apparent that self-re- 
porting may undercount the actual number of mali- 
cious software produced and released by the hacker 
community. 

Given the range of years available, the dependent 
variable for this analysis was the number of reported 
malicious software programs reported in a country in 
the years 2006, 2007, and 2008 (see Table 7-1 for de- 
scriptive statistics). It was necessary to combine mul- 
tiple years as the number of countries reporting a pos- 
itive count was extremely low each year: 18, 24, and 
18, respectively. Combining these years, however, in- 
creased the number of countries with a positive count 
to 30. This ensured sufficient power for both processes 
in the ZINB model. Limiting the years included min- 
imized errors due to lagged effects or changes in the 
predictor variables for these independent variables 
from 2008. 

Many of the malware reports did not identi- 
fy a country of origin for these tools (50 percent of 
all). As a result, a number of cases were excluded 
from the analysis, which may affect the undercount- 
ing of countries in this chapter. There is, howev- 
er, significant difficulty in properly identifying the 
point of origin for a piece of malicious software. 
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Number of reported 
programs 

Countries 

0 

Afghanistan, Albania, Algeria, Andorra, Angola, Antigua 
and Barbuda, Armenia, Australia, Austria, Azerbaijan, 
Bahamas, Bahrain, Bangladesh, Barbados, Belarus, Belize, 
Bhutan, Bolivia, Botswana, Brunei, Burkina Faso, Burma, 
Burundi, Cambodia, Cameroon, Canada, Chad, Costa Rica, 
Cote d'lvoire, Croatia, Cyprus, Czech Republic, Djibouti, 
Dominica, Dominican Republic, Ecuador, El Salvador, 
Estonia, Ethiopia, Fiji, Finland, Gambia, Ghana, Greece, 
Grenada, Guinea, Guinea-Bissau, Guyana, Haiti, , Hungary, 
Iceland, Indonesia, Ireland, Israel, Japan, Jordan, Ka- 
zakhstan, Kenya, Kiribati, South Korea, Kyrgyzstan, Laos, 
Latvia, Lesotho, Liberia, Libya, Liechtenstein, Lithuania, 
Luxembourg, IVIacedonia, IVlalaysia, IVIali, IVIarshall Islands, 
Mauritania, Mauritius, Micronesia, Moldova, Mongolia, 
Mozambique, Namibia, Nauru, Nepal, New Zealand, 
Nicaragua, Niger, Norway, Pakistan, Panama, Paraguay, 
Philippines, Samoa, Senegal, Sierra Leone, Singapore, 
Slovakia, Slovenia, Solomon Islands, Somalia, South 
Africa, Sri Lanka, Sudan, Swaziland, Switzerland, Taiwan, 
Tajikistan, Thailand, Togo, Trinidad and Tobago, 
Turkmenistan, Tuvalu, Uganda, United Arab Emirates, 
United States, Uruguay, Uzbekistan, Vanuatu, Vietnam, 
Zimbabwe 

1-10 

Bosnia Herzegovina, India, Ukraine, United Kingdom, 
Venezuela, Saudi Arabia, Italy, Peru, Syria, Bulgaria, Chile, 
Mexico, Argentina, Colombia, Morocco, Spain, Egypt, 
Tunisia 

11-20 

Netherlands, Romania 

21-50 

Belgium, France, Georgia 

51-115 

Germany, Brazil, Russia, Turkey, Iran, Poland 

116-360 

China 


Table 7-1. Counts of Malicious Software Programs 
Across Countries. 

Specifically, a malware writer may state where he or 
she created their tool in the program notes, or post 
their tool directly into this repository providing the 
necessary information. Some programs may not con- 
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tain such information, however, and an individual 
may ascribe an origin point based on the language 
character set, such as Cyrillic, Chinese, or Western, 
used in the user interface of the tool kit. While these 
conditions may affect the validity of the dependent 
variable, it is still likely that the attributions are ac- 
curate and provide some insights into the location of 
malware creation. 

INDEPENDENT VARIABLES 

The data for the independent variables derived 
from the CIA World FadBook and from Freedom House, 
a nongovernmental agency that collects annual data 
on political freedom around the globe.^" In order to 
model the number of reported malicious software 
programs, we included several co-variates in both the 
binary and count models. We examined measures on 
GDP and technological structure, political rights, and 
population diversity. 

In the count model, the first group included meas- 
ures of GDP and the number of Internet hosts within 
the country. We used the log of the GDP per capita 
{Log GDP) and the log of Internet hosts {Log Hosts), 
both from the CIA World Factbook.^'^ We logged the 
values for these two variables because both distribu- 
tions were skewed. We also included other measures 
of technology infrastructure, including the number of 
cell phones, radio and television stations. However, 
because these variables all highly correlated with both 
Log GDP and Log Hosts, we could not include them 
in the same model. Furthermore, we attempted to 
include country population as a control variable, but 
not surprisingly, it was highly correlated with all the 
predictor variables and also could not be included in 
the regression model. 
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The second variable included in the models was 
the degree of political rights {political rights) as meas- 
ured by Freedom House.^^ The variable ranged from 1 
(the most free) to 7 (the least free). Freedom House's 
measure of political rights is based on a checklist of 
10 political rights questions that fall into four subcat- 
egories: electoral process, political pluralism, partici- 
pation, and functioning government. These scores are 
then used to create the political right subscale. 

For measures of diversity, we included two var- 
iables: ethnic heterogeneity (ethnicity) and religious 
heterogeneity (religion). Both measures derived from 
the CIA World Factbook data, using P. M. Blau's het- 
erogeneity index, calculated as 1 - P/^, where Pf is the 
proportion of each religious or ethnic group.^'' The 
squared proportions are summed and subtracted from 
1, which gives an index from 0 (total homogeneity) to 
1 (total heterogeneity). A higher Blau's index indicat- 
ed more heterogeneity in the two measures. 

Finally, we included a dummy variable for coun- 
tries on the Asian continent, such as China and North 
Korea, as a control variable. This variable included 
Middle Eastern countries such as Iran and Afghani- 
stan as well. Research indicates that Asian countries 
appear to be a prominent source of malware and 
hacker activity. In addition, countries with non-Latin 
alphabets, like China or Iran, might have been more 
easily detected and have a higher likelihood of being 
reported in the malware dataset. 

COUNT DATA ISSUES: THE ZERO-INFLATED 
NEGATIVE BINOMIAL MODEL 

Our dependent variable (MALWARE) reported 
the count of malicious software detected within each 
country. Using an ordinary least squares regression 
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(OLS) was problematic because MALWARE was not 
normally distributed. It was right- tail skewed, as only 
a few countries reported hundreds of malicious soft- 
ware programs. The remaining countries reported 
far less than 100, most reporting 0. Thus, the modal 
count was 0, which resulted in an abundance of Os in 
the variable's distribution. In fact, 80 percent of coun- 
tries reported no malicious software during the study 
period. Furthermore, the data were reported counts, 
omitting some countries that undoubtedly produced 
malicious software, but were not detected by the re- 
porting program. Because of these issues, using OLS 
regression was likely to result in biased standard errors 
and coefficients. 

To remedy these problems, several limited de- 
pendent variable regression models for count data 
may be employed, including Poisson, zero-inflated 
Poisson, negative binomial, and zero-inflated nega- 
tive binomial. A discourse on the differences among 
these models is beyond the scope of this chapter.^^ Us- 
ing STATA 8.0, the calculations employed a zero-in- 
flated negative binomial model for two reasons. First, 
the variance was greater than the mean, resulting in 
over-dispersion; thus, a Poisson model that assumes 
equal dispersion was eliminated. Second, the abun- 
dant zeros in the frequency distribution likely came 
from two different groups: the Always-Zero group (a 
country that never produced malicious software) and 
the Not-Always-Zero group (a country that likely pro- 
duced malicious software). 

For example, consider a country from the dataset 
likely in the Not-Always-Zero group. The United States, 
a technologically advanced country known to have a 
historically active hacker population, reported zero 
malicious programs during the study period. The as- 
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sumption was that this zero count resulted from the 
reporting process faiUng to detect malware from the 
United States. The United States would therefore like- 
ly be in the Not-Always-Zero group. Since our data did 
not indicate which group a country belonged to, other 
than subjective estimation, membership in either of the 
two zero groups was therefore latent or unobserved. 
This last point was an important element in favor of 
a ZINB model, because Poisson or negative binomi- 
al models could inflate the probability of a country 
producing zero programs. The ZINB model predicted 
membership in either of the two latent groups. 

To do this, the ZINB model included two processes 
in the estimation of the outcome count variable: a bi- 
nary model and a count model. The binary (or inflat- 
ed) model, typically logit, predicted the membership 
of a case in the Always-Zero group versus the Not-Al- 
ways-Zero group. The first process accounted for mem- 
bership in the two groups, while the second count 
model then predicted the number of counts among 
countries in the Not-Always-Zero group. Both models 
are reported in the results of a ZINB regression. 

The decision to employ a ZINB should be based 
on the researchers' substantive understanding of how 
the data were generated, especially when the counts 
are subject to reporting bias.^^ However, a researcher 
should also consider the Vuong test.''' The Vuong sta- 
tistic can be used to test whether the ZINB model fits 
the data better than a negative binomial regression. 
If the Vuong statistic is significant (V > 1.96), a ZINB 
should be employed instead of a negative binomial 
regression.''^ 

The ZINB model then predicted the count of re- 
ported malware programs by country based on GDP, 
Internet hosts, political rights, ethnic heterogeneity. 
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and religious heterogeneity. For the Always-Zero in- 
flation model, the study included two predictors: In- 
ternet hosts and political rights. Only 30 countries re- 
ported malware. Thus, the study minimized inflation 
in the model to keep it as parsimonious as possible. 
Given that authoritarian regimes and countries with 
more Internet hosts are likely producers of malware, 
these two predictors should conflrm or refute current 
thinking on cross-national production of malware. 

FINDINGS 

The available data resulted in 147 countries in the 
sample, which are reported in Table 7-1. The modal 
count of reported software was zero. Thirty countries 
reported producing one or more malicious software 
programs in the sample years. China reported the 
highest number of software, 353 counts— which is in 
keeping with emergent research on Chinese hacker 
activity.^^ It is important to remember that many of the 
countries in the zero category were actually producers 
of malware. Such countries likely produced malware 
in the sample, but they were not detected and report- 
ed to the website. Also, it is likely that these countries 
may have been reported to the website, but the coun- 
try of origin was not discernible. The ZINB model 
attempts to replicate the differences in zero counts 
(i.e. true zeros [no malware] and non-zeros [failure 
to detect]). 

The descriptive statistics for reports of malicious 
software and the predictor variables appear in Ta- 
ble 7-2. As mentioned previously, the variance of 
the dependent variable was greater than the mean 
(s^=1108.291; m=6.966), indicating over-dispersion 
and ruling out a Poisson model. Because GDP and 
Hosts were logged, their mean levels are difficult to 
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interpret and not as useful, but the values are reported 
in Table 7-2. The average level of political rights was 
3.262, about the middle of the Freedom House scale. 
The mean levels of religion and ethnic heterogeneity 
were 0.398 and 0.363, respectively. 


Variable 

Mean 

s.d. 

Min 

Max 

Malware 

6.966 

33.291 

0.000 

353 

Log GDP 

8.796 

1.300 

5.298 

11.282 

Log Hosts 

10.095 

4.261 

0.000 

19.571 

Rights 3.262 

2.185 

1.000 

7.000 


Religion 

0.398 

0.245 

0.000 

0.868 

Etiinicity 

0.363 

0.254 

0.000 

0.950 


Table 7-2. Descriptive Statistics (n=147). 

Table 7-3 reports the results for the ZINB model. 
First, the zero-always inflation model reports the like- 
lihood of a country never having reports of malicious 
software. The results of the Vuong test indicated that 
the ZINB model was an improvement over a nega- 
tive binomial model (V=2.32; p< 0.01). More Internet 
hosts reduced the likelihood of being in the Always- 
Zero group (b=-1.507). Thus, more hosts increased the 
likelihood of being malware producers. Fewer politi- 
cal rights also reduced the likelihood of being in the 
Always-Zero group (b=-2.135), meaning that countries 
with fewer political rights were more likely to have 
been creators of malware. 
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Covariate 


s.e. 

Zero-always Inflation Model (Logit) 

Log Hosts 

-1.507* 

0.720 

Political Rights 

-2.135* 

1.088 

Constant 

23.443* 

10.943 

Zero-inflated Negative Binomial Model 

Log GDP 

0.054 

0.255 

Log Hosts 

0.504*** 

0.500 

Political Rights 

0.297 

0.134 

Religion 

-5.798** 

1.786 

Ethnicity 

-0.658 

1.559 

Constant 

-4.492 

5.460 

Log Likelihood 

-169.844*** 


Vuong test 

.32* 


Maximum Likelihood R2 

0.314 


Notes: * p<0.5 

** p<m 

"*p<.001 


Table 7-3. Zero-inflated Negative Binomial 
Regression for Count of Malicious Software (n=147). 

Separating the two kinds of zero counts into the 
Always-Zero and Not-Always-Zero groups allowed us to 
consider the zero-inflated negative binomial results as 
presented in Table 7-3. More Internet hosts (logged) 
increased the number of reported malware programs 
(b=0.504). Religious heterogeneity was negative, indi- 
cating that a more heterogeneous religious milieu re- 
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duced the number of reported malware programs (b= 
-5.798). Log GDP, political rights, and ethnicity were 
not significant.*'^ 

A dummy variable was added to control for Asian 
countries to partially rule out the possibility that 
countries with a non-Latin alphabet would be more 
likely to be recognized and reported. Thus, higher 
counts for Asian countries might have resulted from 
ease of detection rather than an increased propensi- 
ty for malware creation. In addition, it was possible 
that the associations between Internet hosts, political 
rights, religious heterogeneity, and malware creation 
were simply due to several Asian countries being high 
producers of malware. It was therefore important to 
examine whether these concepts relate to malware 
generally or whether they were simply descriptive of 
many Asian countries that happened to be high pro- 
ducers of malware. 

The results of this model are reported in Table 7-4. 
In the Always-Zero inflation model, more Internet hosts 
and less political rights remained significant, both 
predicting less likelihood of being in the Always-Zero 
model as in the previous model. The dummy variable 
for Asia was also significant and positive (b= 2.484), 
indicating that Asian countries were more likely to be 
in the Always-Zero category than non- Asian countries, 
meaning that they were more likely to not produce 
it. The dummy Asian measure did not solely account 
for the relationship between Internet hosts, political 
rights, and malware, considering that these two mea- 
sures remained significant in the model. However, it 
should also be noted that the coefficients decreased 
substantively between Tables 7-3 and 7-4. This illus- 
trates that the Asian measure did partially mediate the 
effect of those two measures on malware creation. 
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Covariate 


s.e. 

Zero-always Inflation Model (Logit) 

Log Hosts 

-0.634** 

0.213 

Political Rights 

-0.861* 

0.363 

Asia 

2.483* 

1.001 

Constant 

10.067** 

3.392 

Zero-inflated Negative Binomial Model 

Log GDP 

0.512 

0.483 

Log Hosts 

0.302* 

0.500 

Political Rights 

0.063 

0.271 

Religion 

-3.818* 

1.786 

Ethnicity 

-0.484 

1.244 

Asia 

1.540 

0.862 

Constant 

-5.591 

5.719 

Log Likelihood 

-168.0059** 


Vuong test 

1.93* 


Maximum Likelihood R2 



Notes: * p<0.5 
***p<.001 


Table 7-4. Zero-inflated Negative Binomial 
Regression for Count of Malicious Software 
Controlling for Asian Countries (n=147). 

In the zero-inflated negative binomial component 
of the model, the results were similar to the results 
shown in Table 7-3. Again, only Internet hosts and 
religious heterogeneity were signiflcant predictors. 
Thus, the Asia measure did not account for the predic- 
tion in reported malware in the count model, either. 
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In order to make the results more intuitive, pre- 
dicted counts were calculated for malicious software 
and the probabilities for being in the Always-Zero 
group from the first regression model (reported in 
Table 7-3). The results for six countries are reported 
in Table 7-5. Afghanistan, the first country, had zero 
reported malware programs during the study period 
and zero predicted malware programs. The prob- 
ability for being in the Always-Zero group was 0.999. 
Thus, Afghanistan was correctly classified based on 
the available data. Next, the United States and Jordan 
both had zero reported malware programs. The Unit- 
ed States was predicted to have 15 reports of malware, 
while Jordan had only seven. Both countries had very 
low probabilities of being in the Always-Zero group, 
0.000 and 0.096 respectively. Finally, three countries 
had positive observed reports of malware — Turkey 
(90), Egypt (10), and China (353). Two of the coun- 
tries, Turkey and Egypt, had about the same number 
of reported as predicted counts of malware, 96 and 
14, respectively. China, however, had far fewer pre- 
dicted than expected counts (77 versus 353). All three 
of these countries had zero probability of being in the 
Always-Zero group, and because they were observed 
to have counts of malware, they were in the nega- 
tive binomial part of the distribution. These results 
show how the ZINB regression attempts to model 
cases where the reported nature of the data produces 
inaccurate counts. 

The probability of having a zero count is also 
shown in Figure 7-1. The figure shows the change 
in probabilities of a country having a zero count for 
each level of political freedom from the most free (1) 
to the least free (7). All of the other predictor variables 
are set to their mean values. When zeros from both 
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Y Y p 

Country 

Count 

Count 

zero 

Distribution 

Afghanistan 

0 

0 

.999 

Always zero 

United States 

0 

15 

.000 

Negative binomial 

Jordan 

0 

7 

.096 

Negative binomial 

Turkey 

90 

96 

.000 

Negative binomial 

Egypt 

10 

14 

.000 

Negative binomial 

Cliina 

353 

77 

.000 

Negative binomial 


Notes: Y is the predicted count based on the negative binomial 
model. The column for 'p zero' is predicted probability that the 
country is in the Always-Zero distribution. 


Table 7-5. Observed and Predicted Values 
for Counts and Probability of Always-Zero Group 
From Regression Model. 

equations are 1.00, the probability of a zero count is 
1.00. As countries become less free, the probability 
of a zero count drops to 0.600. Also, note that in the 
binary equation that as the level of political freedom 
approaches its highest value, the probability of a zero 
in the model drops to zero. 

DISCUSSION AND CONCLUSIONS 

The diverse and sophisticated threats posed by 
hackers and malicious software writers require sig- 
nificant investigation by both the technical and social 
sciences to understand the various forces that affect 
participation in these activities. It is, however, chal- 
lenging to identify reliable data sources to examine 
trends and correlates of malware and hacking events 
from governmental sources. As a consequence, social 
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Political Rights (1 =most free: 7=least free) 

• Os from Binary Equation ■ Os from both equations 

* Os from Count Equation 


Figure 7-1. Probability of Country Having 0 Reports 
of Malicious Software by Political Rights. 

science research may benefit from data mining onhne 
forums and websites to develop data sets.^^ Such ef- 
forts may prove beneficial, as online data enable indi- 
viduals to provide direct information on various forms 
of cybercrime without stigma or fear that may other- 
wise result from contacting law enforcement agencies. 
This study attempted to demonstrate the value of such 
data through a country-level analysis of the econom- 
ic, technological, and social forces that affect malware 
production based on reports to an international online 
malware repository. 

The findings suggest malware production does not 
depend on a nation's economic conditions unless it af- 
fects the development of its technological infrastruc- 
ture. Those nations with a larger number of Internet 
hosts were more likely to develop malware resourc- 
es, because these nations have more opportunities 
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for their citizens to offend. Thus, greater information 
technology infrastructure may increase the number of 
people who can go online and increase the develop- 
ment of hacker communities and malware creation. 

Considering that GDP did not relate to malware 
production when controlling for Internet connectivity, 
this implies that hackers can produce malware with 
efficiency and can perform this task regardless of le- 
gitimate employment opportunities provided by the 
markets.*'* Additionally, this finding gives some sup- 
port to the value of malware as a force multiplier in 
attacks against various targets, as they do not require 
significant economic investment to be completed. As a 
result, there may be little policy value to consider how 
G20 nations are involved in cyber attacks, but rath- 
er, to explore the diverse nature of the hacker threat 
in a global context. '^^ For example, understanding the 
relationships and intersections of hacker communities 
around the world through online environments may 
give some insight into the spread of techniques and 
utilities to develop malware. 

This analysis also indicated that more repressive 
governments created environments in which malware 
production was more likely. This suggests there is a re- 
lationship between political oppression and the devel- 
opment of attack tools. It is unclear, however, if these 
tools were being created as a means to attack other 
nations to steal information, engage in espionage, or 
engage in internal attacks as a means of liberation. The 
negative effect of religious heterogeneity on malware 
production, however, suggests that malware was not 
designed as a means of affecting individuals' religious 
views within their own country. 

The exploratory nature of this chapter provides 
multiple directions for future research. Specifical- 
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ly, there is a strong need for greater qualitative and 
quantitative examinations of hacker communities 
around the world. Research on hacker subcultures in 
the United States/^ China/^ and Russia*'^ suggest that 
there are norms, justifications, and beliefs that drive 
individual action. Examining the subcultural norms 
of hacker communities in established and emerging 
nations in Asia, Northern Africa, and South Ameri- 
ca can provide insights into the influence of the eco- 
nomic, political, and religious milieu of a nation on 
hacker activity. 

The self-report nature of the data used to develop 
the dependent variable, malware creation, also sug- 
gests a need for further investigation using online 
data sources on the prevalence and characteristics of 
malicious software. Many cybercrime scholars have 
argued for greater official statistics on cybercrime of- 
fenses from law enforcement, government agencies, 
and the private sector.*"' The presence of such pub- 
lished statistics could provide greater insight into the 
problem of malware, although there is little likelihood 
that these entities would provide such information to 
the academic research community. Instead, utilizing 
data sources such as the information in this analy- 
sis provides a necessary and practical alternative to 
closed sources. 

Though there are limitations with the data used 
in this chapter, as in all self-reporting studies, the 
work has demonstrated that reporting efforts can be 
successful in modelling computer crime. The results 
of this chapter suggest a more concentrated effort 
by government or academic institutions in collecting 
self-reported malware production is worth pursuing. 
Widely publicizing an Internet site where white-hat 
hackers, Internet security professionals, and layper- 
sons could log detection of malware programs would 
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improve the reliability of the data. Furthermore, such a 
reporting effort could create a database in which high- 
ly visible cyber attacks reported in the media are col- 
lected and analyzed, similar to efforts by the Univer- 
sity of Maryland's National Consortium for the Study 
of Terrorism and Responses to Terrorism (START) 
Center. Given the clandestine nature of hacking, the 
anonymity of reporters would need to be emphasized 
and assured to increase participation in reporting. 
Some kind of verification protocol, such as snip- 
pets of code or screenshots of user interface screens, 
should be implemented to ensure the accuracy of 
information provided. 

Combining this chapter with technical analyses 
of malware would also allow for some examination 
of the technical sophistication of the tools created by 
hackers in each country. Such information could give 
additional nuance to this study and may demonstrate 
relationships between the macro-level variables in- 
cluded. For example, if there is a correlation between 
the production of software designed to steal financial 
information and the economic or political climate of 
a nation, this information may help to better under- 
stand the drivers for financially motivated cybercrime. 
Alternatively, examining the programming languages 
within which these programs are written could be 
used as a proxy for technical sophistication and skill. 
If any relationship can be identified between coding 
languages and technological, economic, or political 
drivers, such examination may help to better identi- 
fy the forces that influence malware creation. In turn, 
this can help to improve understanding of malicious 
software production at the national level. 
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CHAPTER 8 


ISP GRADE THREAT MONITORING 

Abhrajit Ghosh 

INTRODUCTION 

Today's Internet Service Provider (ISP) has to deal 
with various types of threats that impact not only 
its operations but also those of its customers. These 
threats manifest in the form of malicious network traf- 
fic that may either overload the network infrastruc- 
ture (e.g., Distributed Denial of Service [DDoS]) or 
enable the execution of illegal activities (e.g., spam, 
identity [ID] theft). ISPs can typically provision excess 
network capacity to deal with volume-based attacks; 
however, their end customers may not always be able 
to do so. Consequently, it is very often the ISPs' re- 
sponsibility to detect and mitigate attacks that target 
their customers. Originators of malicious activities 
that are relatively stealthy in nature cannot easily be 
monitored from their targets, because of the intermit- 
tent nature of the activity observed at each individual 
target. However, an ISP has access to substantially 
more data on each node within its administrative do- 
main and is in a better position to detect originators of 
potentially malicious activities, as well as to mitigate 
the threat posed by them. According to Arbor Net- 
works, the most significant threat faced by IP network 
operators today is host- or link-level DDoS.^ A signifi- 
cant portion of DDoS attacks are known to employ IP 
Spoofing; a technique that allows an attacker to fake 
source addresses on attack traffic. The use of IP Spoof- 
ing makes it more difficult to trace the attack back to 
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its source and delays the start of mitigation. Another 
significant source of concern is botnet activity. Botnets 
are networks of (typically) illegitimately controlled 
computers, spread across the public Internet, under 
the control of one or more so-called bot-herders. While 
botnets can be employed for the purpose of originat- 
ing DDoS attacks, they may also be used to run large 
spam-delivery operations, which may in turn be used 
to propagate malicious code onto unsuspecting net- 
work users' computers. Botnets can also be used to ex- 
plore compromised hosts and networks for valuable 
data to exfiltrate into the hands of an adversary. 

Many ISPs operate Security Operation Centers 
(SOCs), wherein dedicated systems and personnel 
monitor and analyze data feeds to detect the occur- 
rence of malicious activities. The volume of data 
available at an ISP's SOC can be challenging for most 
analysis systems. It is essential that the data collection 
strategy as well as the analysis algorithms be tuned to 
such data volumes. 

MONITORING FOR THREATS 

Several approaches have been proposed in the 
past for detection of volume-based network attacks. 
Volume analysis approaches make use of flow record 
export capabilities at network routers such as sFlow^ 
and NetFlow^ in conjunction with flow-collection soft- 
ware such as nfdump* and flow-tools.^ Analysis algo- 
rithms look for evidence of anomalous traffic volumes 
in the exported flow records. The operation of these 
components appears in Figure 8-1. Traffic enters a net- 
work via one of its edge routers and may traverse one 
or more core routers before exiting. It is possible to 
enable flow data export capabilities on either core or 
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edge routers. In many cases, network operators mini- 
mize the processing load on routers by mirroring traf- 
fic observed at the routers to dedicated flow agents. In 
the latter case, flow agents act as flow exporters, thus 
offloading some of the flow data export load from the 
routers. Exported flow data are directed to one or more 
flow collectors, which typically save flow information 
into persistent storage for subsequent analysis. Vari- 
ous flavors of analysis tools are available; for example, 
nfdump provides tools to compute statistical data on 
individual flows or on flow aggregates. Tools such 
as Nfsen provide graphical web-based front ends for 
flow analysis visualization.^ 



Figure 8-1. Flow Data Collection. 

An alternative approach is to use Simple Net- 
work Management Protocol (SNMP)-based network 
monitoring tools to observe standard network moni- 
toring Management Information Bases (MIBs).^ For 
example, packets-per-second counters within the 
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SNMP MIB structure at a router can be used to detect 
volume anomalies. SNMP-based detection of volume 
anomalies is inherently coarser grained than the flow 
analysis-based approaches. On the other hand, SNMP 
data analysis is a lighter weight process than flow data 
analysis. Both methods cannot by themselves distin- 
guish between legitimate and illegitimate volume 
anomalies. 

Deep Packet Inspection (DPI)-based approaches 
provide a means to inspect every byte of every packet 
passing through the inspection device.^ This approach 
allows for the inspection of the application payload 
the packet carries and can help identify the program 
or service being used. DPI-based approaches are es- 
pecially useful for applications that use nonstandard 
ports such as Skype and other peer-to-peer applica- 
tions. As such, this is a computationally intensive pro- 
cess, especially at high network data rates, and is typi- 
cally implemented using custom hardware solutions. 
The use of custom hardware makes DPI approaches 
fairly expensive for large-scale deployments. In ad- 
dition, DPI approaches may not be very useful if the 
inspected data payloads are encrypted. An approach 
for using DPI-based solutions is to compare observed 
application payloads with known attack signatures. 
However, this requires the maintenance of an attack 
signature repository and is not very useful when con- 
sidered in the context of zero-day attacks. 

SECURITY MONITORING SYSTEM 

Telcordia has spent several years researching 
various aspects of network security; in particular, the 
problem of monitoring large-scale networks for mali- 
cious activity. The company has developed a system 
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for large-scale security monitoring that examines data 
exported by flow agents for anomalies. An illustration 
of a typical deployment appears in Figure 8-2. The 
system receives NetFlow and sFlow feeds from multi- 
ple flow agents located within the monitored network. 
It also periodically downloads the following types of 
data from publicly accessible sources: 

• BGP (Border Gateway Protocol) routing infor- 
mation from public BGP Routing Information 
Bases (RIBs).' 

• BGP Autonomous System (AS) number regis- 
tration information from Internet Routing Reg- 
istries (IRRs).i° 

• Blacklisted IP address lists from Domain Name 
System Blacklists (DNSBLs)^^ and legitimate 
IP address lists from Domain Name System 
Whitelists (DNSWLs).i2 

Flow data are analyzed in conjunction with the 
above types of data sources for anomalies. 



Figure 8-2. Security Monitoring System 
Deployment. 
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The goal of the system is to detect various types 
of network traffic anomahes that could be caused by 
DDoS, spamming, IP address spoofing, and botnet 
activities. The system is designed to scale to Tier 1 
ISP data rates wherein several gigabytes of flow data 
could be generated every few minutes. 

A high level architecture of the monitoring system 
appears in Figure 8-3. A set of data collectors acquires 
flow data from within the monitored network and 
publicly accessible data from the types of sources listed 
above that reside outside the monitored network. Col- 
lected data are written into persistent storage, which 
consists of an SQL database and a set of flat files. 



Figure 8-3. Monitoring System Architecture. 

A set of anomaly detectors analyzes the collected 
data and generates alerts when anomalies are detected. 
Currently three types of anomaly detectors are provid- 
ed: (a) Volume Anomaly Detectors; (b) Source Anom- 
aly Detectors; and, (c) Profile Anomaly Detectors. The 
Volume Anomaly Detector analyzes collected data for 
volume anomalies using a variety of approaches. The 
Source Anomaly detector incorporates algorithms for 
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spoofed-source IP address detection and makes use of 
flow data, BGP routing data, and AS number regis- 
tration data. The Profile Anomaly detector examines 
the flow-level behavior of individual nodes within 
the monitored network in conjunction with Blacklist/ 
Whitelist information to identify potentially malicious 
nodes. Each Anomaly Detector outputs the result of its 
analysis into a structured query language (SQL) table. 

Results of the outputs of various anomaly detec- 
tors can be analyzed in conjunction with each other 
using the Correlation Engine. The Correlation Engine 
attempts to determine if detected anomalous activities 
are contemporaneous. It also attempts to identify if 
an attack source generating one type of attack is also 
responsible for other types of attacks. As such, the cor- 
relation engine provides a means to reduce the overall 
false-positive rate of the monitoring system. 

SECURE ANOMALY DETECTION 

The goal of the source anomaly detectors is to 
identify instances of source IP address spoofing in ob- 
served flows. The basic principle of the operation of 
source anomaly detectors appears in Figure 8-4. Here, 
data for the monitored ISP are acquired via NetFlow/ 
sFlow data feeds from three flow agents. Source ad- 
dress profiles are generated for each flow agent using 
training flow data. Alerts are raised when a source 
IP address that does not match a flow agent's profile 
is observed at the agent. For example, during train- 
ing, source IP addresses from ISP_D are expected 
at flow agent FA2, while source IP addresses from 
ISP_A are expected at FAl. An alert will occur if flows 
with source IP addresses from ISP_D are observed 
at FAl, since this could be evidence of a possible 
spoofing attack. 
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Figure 8-4. Source Anomaly Detection Overview. 

While using training data, care must be taken to 
reduce the possibiHty of using spoofed traffic to build 
the source address profiles. While building the pro- 
files, care can be taken by considering only flows for 
established TCP connections and by ignoring flows to 
destinations receiving data from bogon sources. It is 
also possible that training data may not be adequate to 
cover all potential sources of traffic. One can address 
this potential issue by considering profiles based on 
BGP AS numbers, given that a single BGP AS num- 
ber can map to several IP address prefixes, including 
those prefixes not observed during training. 

PROFILE ANOMALY DETECTION 

The profile anomaly detectors detect any behav- 
ioral anomalies pertaining to hosts within the moni- 
tored network. One profile anomaly detector, that is 
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currently part of the system, identifies potential spam- 
mers using flow data and spammer blacklists. Figure 
8-5 illustrates the operation of the spammer detector. 
This detector operates in a two-step process. 

1. Training: During this process, training flows 
build a communication profile for each suspected 
spammer node. Nodes with similar communication 
profiles are grouped into clusters. Subsequently, IP 
address blacklists and whitelists identify clusters that 
contain known spammers. The existing clusters are 
then labeled as spammer clusters or as non-spammer 
clusters. 

2. Judgment: As in the training case, observed flows 
build communication profiles for suspected spammer 
nodes. The best matching cluster is identified for each 
communication profile. A node is identified as a spam- 
mer if its profile matches a spammer cluster. 



Figure 8-5. Spammer Detection Overview. 
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VOLUME ANOMALY DETECTION 

Our system incorporates an efficient real-time 
volume anomaly detector that gives early warning 
of observed volume anomalies. The volume anomaly 
detector operates by considering a near-term mov- 
ing window of flow records when computing traffic 
volumes to a destination address. The operation of 
the real-time volume anomaly detector appears in 
Figure 8-6. Flow records from flow agents are stored 
in memory over a user-defined time window (e.g., 5 
minutes). Traffic volumes are computed for destina- 
tions observed within a given time window and are 
compared against operator-specified thresholds to 
determine the presence of anomalies. This approach 
eliminates the need to create large archives of flow re- 
cords for the purpose of volume-based analysis and 
allows more timely detection of anomalies in the ob- 
served data. The approach is also somewhat more ac- 
curate than the archive-based approach, since it is not 
constrained by artificial time boundaries used while 
archiving files. 


Figure 8-6. Volume Anomaly Detection Overview. 





^^^^^^ 
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ANOMALY CORRELATION 


Our system incorporates a correlation engine that 
correlates alerts generated by the different types of 
anomaly detectors. A significant issue with many 
anomaly detection-based approaches is their poten- 
tially high false-positive rate. The correlation engine 
component reduces the possibility of generating 
false positives. 

Different types of correlations are performed by 
the system. These may be based on the source IP ad- 
dresses of observed flows or on their destination IP 
addresses. For example, source anomaly alerts corre- 
late with volume anomaly alerts to determine whether 
a volume anomaly targeting a specific destination is 
happening at the same time as source anomalies are 
observed. Also, volume anomaly alerts correlate with 
profile anomaly alerts to determine whether a source 
of elevated traffic volumes has performed other types 
of malicious activities such as spamming or participa- 
tion in a botnet. 

CONCLUSION 

Our system offers several advantages to an operator 
who may be interested in monitoring the network for 
potentially malicious activity. It integrates with stan- 
dardized data sources, such as NetFlow and sFlow. It 
has also been evaluated in a Tier 1 ISP environment 
and has scaled to the high data rates observed therein. 
There is also no requirement for specialized hardware, 
as is the case for many current solutions (for example, 
DPI approaches); the approach is software based and 
therefore portable. 


231 


The use of an alert correlation component is valu- 
able to a network operator who would be very inter- 
ested in lowering false-positive rates. Given the high 
data volumes, even a relatively small false-positive 
rate can lead to a significant number of alerts that 
may confuse a human operator. This approach uses 
behavioral anomalies to identify potentially malicious 
nodes in the target network and is thus in a position to 
be able to detect zero-day attacks by not depending on 
the availability of attack signatures. Our system can 
potentially be used by a network operator to support 
the delivery of revenue-generating attack detection 
services to interested customers. 
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CHAPTER 9 


THE CHALLEGES ASSOCIATED WITH 
ASSESSING CYBER ISSUES 

Stuart H. Starr 

INTRODUCTION 

Since the issuance of the 2010 Quadrennial Defense 
Review (QDR), there has been a growing appreciation 
of the challenges associated with assessing irregular 
warfare. In particular, there is an understanding that 
cyber issues are of increased importance in future 
irregular wars. This manifests in adversary exfiltra- 
tion of data from sensitive but unclassified databases, 
cyber attacks on sovereign nations (e.g., Estonia and 
Georgia), and the fear that critical infrastructures may 
be the target of a "cyber Pearl Harbor." However, the 
assessment community is having a difficult time char- 
acterizing the current ability to assess cyber issues and 
prioritizing actions to improve that capability. 

The goal of this chapter is to explore the state-of- 
the-art in the ability to assess cyber issues. To illumi- 
nate this problem, the chapter presents a tentative 
decomposition of the problem into manageable sub- 
sets. Using that deconstruction, it identifies candidate 
cyber policy issues that warrant further analysis and 
identifies and illustrates candidate Measures of Merit 
(MoMs). Subsequently, the chapter characterizes some 
of the more promising existing cyber assessment ca- 
pabilities that the community is employing, followed 
by an identification of several cyber assessment capa- 
bilities that will be necessary to support future cyber 
policy assessments. The chapter concludes with a brief 
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identification of high priority cyber assessment efforts 
to pursue. 


DECOMPOSITION OF THE PROBLEM 

To structure the problem, the hohstic cyber frame- 
work is depicted in Figure 9-1. This framework is pat- 
terned after the triangular framework that the mili- 
tary operations research community has employed 
to decompose the dimensions of traditional warfare. 
In that framework, the base consists of systems mod- 
els, upon which rests more complex, higher orders of 
interactions (e.g., engagements, tactical operations, 
campaigns). Historically, the outputs from the lower 
levels provide the feedback to the higher levels of 
the triangle. 


Figure 9-1, Decomposition of the Problem, 

By analogy, the bottom of the pyramid consists of 
"cyberspace," the components, systems, and systems- 
of-systems that comprise the cyber infrastructure.^ The 
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output from this cyber infrastructure enhances "cyber 
power," the traditional instruments of power: poHti- 
cal/ diplomatic, informational military, and economic 
(P/DIME).^ These instruments of power, in turn, pro- 
vide the basis for "cyber strategy," the empowerment 
of the entities at the top of the pyramid.^ These entities 
include, inter alia, individuals, terrorists, transnational 
criminals, corporations, nation-states, and interna- 
tional organizations. Note that while nation-states 
have access to all of these instruments of power, the 
other entities generally have access to only a subset of 
them. In addition, initiatives, such as deterrence and 
treaties, may provide the basis for limiting the em- 
powerment of key entities. 

The pyramid suggests that each of these lev- 
els is affected by institutional factors. These include 
governance, legal considerations, regulation, criti- 
cal infrastructure protection, and consideration of 
civil liberties. 

KEY CYBER POLICY ISSUES 

Senior decisionmakers have identified several key 
policy issues that require further attention (see Table 
9.1). Note that this list is representative rather than 
comprehensive. In Table 9.1, these issues have been 
aggregated into the categories of cyberspace, cyber 
power, cyber strategy, and institutional factors. Note 
that most of these issues are extremely broad and con- 
tentious. Consequently, new methods, tools, data, and 
intellectual capital must address them adequately. In 
particular, there is a need to cast these issues in the 
proper context so that one can deal with all of the 
factors of interest. 
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Category 

Key Issues 

Cyberspace 

What steps should be taken to enhance the security 
of cyberspace? 


What resources are needed to make cyberspace resis- 
tant to adversary attacks? 

Cyber Power 

What risks does the military face in implementing 
Net-Centric Operations? 


How vulnerable is the network to computer network 
attack? 


How should Web 2.0 technologies be exploited to 
enchance Influence Operations? 

Cyber Strategy 

What norms should be used among civilized nations? 


What steps should be taken to enhance cyber deter- 
rence? 

Institutional Factors 

When does a cyber attack rise to the level of an act of 
war? 


What cascading effects are faced in attacks against 
critical infrastructures? 


What steps should be organized to mitigate cyber 
risks? 


Table 9-1. Selected Cyber Policy Issues. 

MEASURES OF MERIT FOR CYBER ISSUES 

Table 9-2 suggests a potential decomposition of the 
MoMs associated with the cyber problem. It identifies 
four linked sets of measures: Measures of Performance 
(MoPs), Measures of Functional Performance (MoF- 
Ps), Measures of Effectiveness (MoEs), and Measures 
of Entity Empowerment (MoEEs). Since this field of 
endeavor is still in its infancy, the material is meant to 
be illustrative and not exhaustive. 
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Measures 

Representative Measures 

Cyber Strategy- 
Entity Empowerment 

• Political reforms (e.g., participation in democratic 
elections) 

• IVIilitary efforts to enhance security (e.g., reduction in 
number, severity of insurgent, terrorist attacks) 

• Economical reforms (e.g., reconstruction projects 
completed) 

• Social reforms (e.g., reconciliation of warrmg 
parties) 

• Information (e.g., gaining trust of host nation 
population) 

electric power, clean water) 

Effectiveness 

(against targeted groups) 

• Informational 

• IVIedia: Number of positive/negative stories 

• Clerics: Tone of mosque sermons 

• IVIilitary: Loss Exchange Ratios 

Functional 
Performance 

• Informational 

• Time to create validate and disseminate influence 
messages 

• Number of meetings held with surrogate groups 

Performance 

• System performance (e.g., latency, bandwidth, 
reliability) 

• Resistance to adversary attack (e.g., ability to 
withstand a Denial of Service attack) 


Table 9-2. Representative Measures of Merit. 

MoPs are needed to characterize the key computer 
science and electrical engineering dimensions of the 
problem. A key measure is the amount of bandwidth 
that is available to representative users of cyberspace. 
As the bandwidth increases to the megahertz/ sec 
range, the user is able to access advanced features 
such as imagery and video products. A second key 
measure is connectivity. For circumstances in which 
the cyber infrastructure is fixed, a useful measure is 
the percent of people in a country who have access to 
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the Internet. However, in many military operations, 
the cyber infrastructure and the users are mobile. Un- 
der these circumstances, a more useful measure is the 
performance of Mobile, Ad hoc NETwork (MANET) 
users (e.g., their ability to stay connected). Third, one 
can introduce measures of the "noise" that character- 
izes the cyber infrastructure. For example, the extent 
to which the quality of the Internet is degraded can 
be characterized by the unwanted email that it car- 
ries ("spam"), which can subsume a substantial sub- 
set of the network's capacity. As an example, it has 
been estimated that in recent months, approximately 
90 percent of the traffic on the Internet is spam.'' In 
addition, the integrity of the information is further 
compromised by "phishing" exploits in which crimi- 
nal elements seek to employ the Internet to perpetrate 
economic scams. Finally, MoPs can be introduced to 
characterize resistance to adversary actions, including 
distributed denial of service (DDoS) attacks, propaga- 
tion of viruses or worms, and illicitly intruding into 
a system. 

It is useful to introduce MoFPs that characterize 
how successfully selected entities are able to perform 
key functions, taking advantage of cyberspace. In the 
case of the U.S. military, the concept of net-centricity 
is to employ advances in cyberspace to perform es- 
sential functions (e.g., use digital links to disseminate 
a holistic view of the situation to individual weapon 
systems). Similarly, a basic tenet of net-centricity is to 
propagate the commander's intent so that the partici- 
pants in the operation can synchronize their actions. 

MoEs must characterize how effective entities can 
be in their key missions, taking advantage of cyber- 
space. In the context of major combat operations, MoEs 
need to characterize the ability to exploit cyberspace 
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in multiple dimensions. At one extreme, enhance- 
ments in cyberspace have the potential to reduce the 
time to conduct a campaign and the casualties asso- 
ciated with the campaign. At the other extreme, en- 
hancements in cyberspace may substantially enhance 
blue-loss exchange ratios and the amount of ground 
gained and controlled. 

From the perspective of cyber strategy, there is in- 
terest in characterizing the extent to which enhance- 
ments in cyberspace can empower key entities. In the 
case of nation-states, potential MoEEs might include 
selected political, military, economic, social, informa- 
tional, and infrastructure (PMESII) variables. As an 
example, it might address the ability to leverage cy- 
berspace to influence a population (e.g., "win hearts 
and minds"); shape a nation at strategic crossroads; 
and deter, persuade, and coerce an adversary. 

EXISTING CYBER ASSESSMENT CAPABILITIES 

Currently, there are many methods, tools, and data 
that are being developed to address cyber issues. This 
section presents a subset of those capabilities in the 
areas of cyberspace, cyber power, cyber strategy, and 
institutional factors. 

Cyberspace. 

In the area of data, we currently have some limited 
ability to collect real-world cyberspace information. 
For example, firms such as Gartner, Juniper, Syman- 
tec, and IBM extrapolate from samples to estimate the 
amount of "noise" (e.g., spam) that is infecting the 
real world. In addition, they provide some limited 
data characterizing the effectiveness of malware (e.g., 
DDoS attacks, worms, and viruses). 
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There are some limited mathematical theories that 
enable analysts to evaluate the performance of net- 
works. As an illustration, techniques such as percola- 
tion theory enable one to evaluate the robustness of 
a network.^ 

There are also a variety of emerging tools that en- 
able analysts to assess key issues in cyberspace. As a 
foundation for those tools, operations analysts have 
historically developed a deep understanding of the 
nature of the problem by analyzing real operations. In 
the case of cyber attacks, a representative set of real op- 
erations includes the following: Domain Name Server 
(DNS)-based "pharming attacks" to compromise the 
DNS server (e.g., redirect the user to a spoofed site 
or untrusted proxy); email-based "Phishing attacks," 
in which the phisher might send spam or a targeted 
email with bait; and deceptive download attacks, in 
which the adversary piggybacks on other software, 
posts software on a web site, or corrupts a trusted site. 

Similarly, a great deal of useful operational knowl- 
edge can derive from key conferences. A representa- 
tive event is the yearly DEFCON, which bills itself as 
"the largest underground hacker convention in the 
world." To suggest its focus, DEFCON has addressed 
the following issues during 2006 to 2008. In 2006, it 
focused on "owning" an organization through the 
BlackBerry and dramatically increasing the "attack 
surface" through the proliferation of wireless devices 
(e.g., WiFi) and the transition to IPv6. In 2007, the fo- 
cus was placed on identity theft. In 2008, the emphasis 
included exploiting social software, social networks, 
and hacking opportunities provided by increasing the 
use of wireless connectivity.^ 

Building on these sources of operational data, 
there are several modeling and simulation (M&S) 
tools that the community is employing to address 
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computer science and communications issues. Per- 
haps the best known simulation is OPNET, which is 
widely employed to address network architectural is- 
sues/ However, OPNET and similar tools contain no 
description of potential vulnerabilities, such as adver- 
sary actions, malicious software, or insider threats. A 
theoretical prediction of the effects of network degra- 
dation can be obtained using OPNET (e.g., by the loss 
of a particular router or host); however, this is not a 
simulation of an actual threat. 

To provide a more controlled environment for 
analysis, several test beds are emerging. As one ex- 
ample, the iCollege at National Defense University 
(NDU) has an Information Assurance (lA) Lab. The 
lA Lab offers detailed opportunities for non-experts to 
implant malicious code in software applications and 
operating systems within closed nets using openly 
available hacking tools. ^ Similarly, the Department of 
Energy's Pacific Northwest Laboratory is developing 
a test bed to explore and evaluate alternative cyber- 
deception strategies.'' At the other end of the spec- 
trum, the National Research Laboratory (NRL) has 
developed a Global Information Grid (GIG) Test bed 
to explore the myriad system-of-systems issues asso- 
ciated with linking new systems and networks.^" 

Cyber Power. 

Our primary assessment tools for cyber power 
deal with the impact of changes in cyberspace on the 
military and informational levers of national power. 
In the military domain, interesting tools are emerg- 
ing in live-virtual-constructive (LVC) simulations. 
For example, in assessments of air-to-air combat, 
insights have been derived from the live AIMVAL- 
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ACEVAL experiments, virtual experiments in the for- 
mer McDonnell Air Combat Simulator (MACS), and 
constructive experiments using tools such as TAC 
BRAWLER and EASDSIM. These studies" have en- 
abled researchers to determine that the advantage of 
a digital link to an airborne interceptor enhances his 
or her loss-exchange-ratio by approximately 2.5 per- 
cent. However, at present, it is not feasible to generate 
comparable "rules of thumb" for more complex as- 
pects of contemporary warfare (e.g., air-land battle in 
complex terrain). 

More recently, the Information Operations (lO) 
Joint Munitions Effectiveness Manual (JMEM) is de- 
veloping frameworks and tools to address the various 
pillars of lO. These include computer network opera- 
tions (subsuming Computer Network Attack [CNA], 
computer network defense, and computer network 
exploitation), psychological operations (PSYOP), 
electronic warfare (EW), operations security, and 
military deception. As an illustration, JMEM is de- 
veloping a CNA risk-and-effectiveness analyzer (C- 
REA). This tool uses the effects and response analysis 
module (ERAM) as its core with interfaces tailored 
for planners. 

In the area of live simulation, the lO range is 
emerging, with its hub at Cyber Command (CYBER- 
COM). This links together a variety of existing ranges 
(e.g., China Lake and Huntsville) to evaluate the use 
of CNA or EW techniques. Ultimately, the objective 
is to expand the lO range to evaluate all of the five 
pillars of lO. However, it is not clear how the exist- 
ing lO range will evolve to address these other pillars. 
In addition, DARPA is in the process of developing a 
national cyber range. 

In the informational domain, techniques are emerg- 
ing to address media effects. One of the major areas of 
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interest for the PSYOP community is to evaluate the 
effects of media on culture and opinion. To illustrate 
this interest, there are several tools that have been de- 
veloped and employed. These include the synthetic 
environments for analysis and simulation (SEAS), an 
agent-based model that has been developed by Simu- 
lex.^^ JFCOM employed SEAS in Afghanistan to sup- 
port assessments of the extent to which media broad- 
casts affected the attitudes of the target population. 
Similarly, Oak Ridge National Laboratory (ORNL) 
has developed a tool known as Cultural and Media 
Influences on Opinion (CAMIO).^^ This tool uses an 
agent-based approach to assess the opinions of a group 
and how these opinions can be influenced over time. 
Representative issues of interest include how small 
groups of acquaintances form from larger populations 
and change over time. Furthermore, the TO JMEM has 
developed effectiveness of psychological influence 
(EPIC) to support the planning of PSYOP groups in 
developing and delivering messages.^* However, in 
each of these examples, there has not been a rigorous 
verification and validation (V&V) process. 

Looking to the future, there is interest in apply- 
ing massively multiplayer online games (MMOGs) 
to informational issues. MMOGs offer a self-orga- 
nizing environment for strategic communication or 
social networking that can potentially engage very 
large populations. A representative MMOG is Sec- 
ond Life. Since it offers the possibility of collecting 
substantial amounts of socio-behavior data, it has the 
potential to acquire and analyze tacit knowledge and 
cultural preferences. 
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Cyber Strategy. 


To support cyber strategy assessments, four key 
initiatives are being pursued. These include exercises, 
lessons learned from the real world, new assessment 
methodologies, and societal models. 

Over the last 3 years, the Department of Homeland 
Security (DHS) has conducted three Cyber Storm na- 
tional cyber exercises. There is general agreement that 
these exercises have served to raise awareness of the 
cyber threat posed to critical infrastructures. Howev- 
er, there is concern that no systematic process exists to 
transform "lessons recorded" into "lessons learned." 

As noted above, operations analysts have been 
successful when they have effectively derived lessons 
learned from real-world events. In the area of cyber 
attack, a substantial amount has been learned from 
the recent cyber attacks on Estonia and Georgia. In the 
case of Estonia, an extensive DDoS effectively denied 
citizens access to key Government sites, financial loca- 
tions, and the media. In response, Estonia has imple- 
mented a NATO Cooperative Cyber Defence Centre 
of Excellence (CCD COE) to support the planning and 
response to such attacks. More recently, Russia appar- 
ently employed a cyber attack as a precursor to their 
invasion of Georgia. Although details are sketchy, 
details are beginning to emerge on the dynamics of 
that attack. 

In response to a recent tasking by STRATCOM, a 
new methodology and associated tools are emerging 
to address tailored deterrence issues. The Deterrence 
Analysis and Planning Support Environment (DAPSE) 
is a process that is also instantiated in a web applica- 
tion. As part of that process, they have developed a 
typology (consistent with various social science disci- 
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plines) to characterize the information needed for un- 
derstanding adversaries and other actors of interest. 
In addition, they have identified a preUminary set of 
appHcable M&S and developed a decision deterrent 
calculus (DDC) matrix. The DDC matrix identifies 
perceived feasible/ acceptable options by adversaries, 
potential U.S. options, and the impact of the result on 
other actors of interest.^^ 

Several organizations are in the process of creating 
and refining societal simulations. As an example, the 
Systems Architecture Laboratory at GMU has devel- 
oped a multi-modeling facility. As an element of this 
tool kit, it uses colored petri nets to create executable 
models to assess the effect of alternative DIME options 
on PMESII effects. They attempt to heuristically deter- 
mine the course of action that maximizes the achieve- 
ment of desired effects as a function of time. 

Furthermore, DARPA's conflict modeling, plan- 
ning, and outcomes experimentation (COMPOEX) 
program is developing decision aids to support leaders 
in designing and conducting future coalition-orient- 
ed, multiagency, intervention campaigns employing 
unified actions, or a whole of government approach 
to operations. COMPOEX generates a distribution of 
"plausible outcomes" rather than precise predictions. 
COMPOEX's components include: 

• Conflict Space Tool: This provides leaders and 
staff with the ability to explore and map sourc- 
es of instability, relationships, and centers of 
power to develop their theory of conflict. 

• Campaign Planning Tool: A framework to de- 
velop, visualize, and manage a comprehensive 
campaign plan in a complex environment. 

• Family of Models: These are instantiated for 
the current area of responsibility (AoR), based 


247 


largely on systems dynamics models. Addi- 
tional models are being developed to more ac- 
curately represent the operational environment 
for other AoRs. 
• Option Exploration Tool: This enables a staff to 
explore a multiple series of actions in different 
environments to see the range of possible out- 
comes in all environments. 

However, there are substantial challenges in perform- 
ing V&V of these tools and transitioning them to op- 
erational users. 

Institutional Factors. 

In the area of institutional factors, primary empha- 
sis has been placed on the development of legal tools 
and critical infrastructure protection (CIP) tools. In 
the legal domain, a major challenge is to characterize 
rapidly whether a cyber attack is an act of war. Mi- 
chael N. Schmitt of Durham University has developed 
a framework to address that issue. ^° The framework 
systematically considers seven factors which are: se- 
verity, immediacy, directness, invasiveness, measur- 
ability, presumptive legitimacy, and responsibility. 
Once one has assessed each of those factors, multi- 
attribute utility theory can be employed to weigh each 
of these factors and come to a determination. 

To facilitate legal decisions, a dual-decision tree 
system has been recommended.^^ The first of these 
trees is a computer-based tree to assemble key data 
prior to an actual attack (e.g., primary and second- 
ary levels to characterize international law, constitu- 
tional law, executive actions [directives], legislative 
actions [statutes], or judicial rulings [cases]). This tree 
is complemented by a human-based tree to support 
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developing a legal brief in near real time, drawing on 
four levels of abstraction (e.g., citation, precis, excerpt, 
or full document). Similarly, the system enriches 
knowledge of legal issues by conducting legal analy- 
ses of real-world events (e.g., the NATO CCD COE 
legal assessment of the Georgian attack). 

In the area of CIP, several innovative tools are 
evolving. The iCollege, NDU, is refining a Superviso- 
ry Control and Data Acquisition (SCAD A) Laboratory 
that is designed to explore the vulnerabilities of con- 
trol systems for electric power generation and other 
critical infrastructures (e.g., chemical plants or water 
treatment). Alternatively, under the aegis of DHS, 
the National Infrastructure Simulation and Analysis 
Center (NISAC) is developing and applying system 
dynamics models to assess cascading effects among 
critical infrastructures. They are taking advantage of 
the M&S skills resident in Los Alamos National Labo- 
ratory and Sandia National Laboratory (LANL/SNL). 
Furthermore, the U.S. Cyber Consequences Unit 
(US-CCU) is developing and applying risk assessment 
tools to critical infrastructure issues. For example, 
USCCU developed a model of value creation and de- 
struction to evaluate the economic consequences of 
cyber attacks. In addition, it has published a risk as- 
sessment check list for critical infrastructures.^^ 

NEEDED CYBER ASSESSMENT CAPABILITIES 

This section briefly summarizes some of the major 
needs for cyber methods, tools, data, and services. In 
the area of cyberspace, there is a need to institute a 
more systematic and comprehensive process by which 
data are collected, organized, and V&V'ed. In addi- 
tion, there is a need to go beyond OPNET to create 
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a large-scale, high-fidelity model, which can real- 
istically model a set of malicious activities against a 
real-world network. 

In the area of cyber power, there is the need to de- 
velop and apply risk assessment tools that enable one 
to estimate the probability and consequence of a cyber 
attack. The results can help one prioritize the allocation 
of resources to support defense of these resources. Sec- 
ond, there is a need to develop additional functional 
relationships, linking changes in cyberspace to conse- 
quences in cyber power. Senior decisionmakers need 
access to "rules of thumb" that will enable them to as- 
sess the impact of changes in cyberspace (e.g., band- 
width, accessibility) to changes in the instruments of 
power (e.g., the ability to perform diplomatic, infor- 
mational, military, and economic activities). At this 
stage, a few limiting cases exist for relatively simple 
operations (e.g., limited air-to-air combat). A broad 
set of studies should be performed that are analogous 
to the activities that were performed (more narrowly) 
by the Office of Force Transformation. 

In the area of cyber strategy, there is the need to 
extend and apply recently developed methods. In the 
area of exercises, it is important to go beyond con- 
sciousness raising to the development of a process 
to mitigate identified cyberspace shortfalls. In addi- 
tion, the method developed by DAPSE may be useful 
when considering potential options to deter attacks in 
cyberspace. Furthermore, a great deal of work is re- 
quired to develop needed cyber strategy tools. First, 
at the MORS workshop on deterrence,^^ several vari- 
ants on game theory were identified and discussed to 
explore contemporary variants on deterrence. It might 
be useful to develop game-theoretic tools for analyz- 
ing potential cyber attacks. Second, most war games 
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lack the fidelity and granularity to explore alternative 
lO attacks. Activities are underway to identify "best 
of breed" war games and to identify needed capabili- 
ties.^* Third, there is a need for tools that will support 
integration across kinetic and nonkinetic attacks. Cur- 
rently several shortfalls limit the ability to accomplish 
this objective. For example, in the nonkinetic domain, 
the lO JMEM activity is developing tools to assess the 
impact of the individual TO pillars on mission effec- 
tiveness. However, there is the need for a capstone 
tool that will enable tradeoffs across the individual 
pillars. In addition, there is no tool with adequate 
scope and granularity to support the formulation and 
assessment of courses of action that subsume a mix of 
kinetic and nonkinetic actions. 

Fourth, human, social, and cultural behavior 
(HSCB) will have a major impact on individuals and 
organizations that are subject to cyber attack. As an 
example, many of the most successful attacks have 
cleverly employed social engineering features. Thus, 
there is a need for a HSCB Modeling Test Bed to eval- 
uate V&V candidate social sciences theories and tools 
to instantiate those tools. Finally, in the area of societal 
tools, the system is currently in a very primitive stage. 
Additional work is required to improve the constitu- 
ent elements of these tools (e.g., underlying models of 
economic, political, or social behavior) and their inter- 
action. In particular, there is a need for greater trans- 
parency in identifying and tracing cause-and-effect 
relationships. The HSCB Modeling Test Bed might be 
a useful mechanism to mature these tools and to per- 
form systematic V&V of them. 

Many of the creators of cyber tools lack the knowl- 
edge to apply them efficiently and effectively. One 
of the issues is the large number of variables associ- 
ated with those tools. To begin to address this issue. 
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two courses of action are necessary. First, flexible, 
adaptive, and responsive (FAR) exploratory analyses 
should be performed that develop response surfaces 
that characterize these tools.^^ Second, innovative 
experimental designs are required (e.g., exploitation 
of the insights developed by NFS' SEED Center for 
Data Farming). 

It must be emphasized that virtually none of the 
tools cited above have undergone rigorous V&V. Even 
when some of the key V&V tests are performed, they 
are rarely documented in a clear, transparent fash- 
ion that enables senior decisionmakers to make rea- 
soned judgments about the application of these tools 
to specific issues. The HSCB Modeling Test Bed may 
prove to be a useful laboratory for conducting these 
V&V activities. 

In the area of institutional factors, there is a need 
for improved tools to support governance, legal as- 
sessments, and CIP issues. Historically, the United 
States has played a major role in governing cyber- 
space. However, given the global nature of the Inter- 
net, many nations have agitated for a larger role in 
the governance process. Currently, there is a lack of 
adequate tools that would enable the formulation and 
evaluation of key governance issues. As noted above, 
a proposal has been raised to assemble relevant cyber 
legal information into dual-decision trees that would 
enable lawyers to have easy access to key data. An 
effort is needed to design and instantiate such tools. 
Finally, as noted above, a number of institutions have 
been designing and applying a variety of tools to sup- 
port the assessment of attacks against critical infra- 
structures (including cascading effects). At this stage, 
rigorous V&V efforts are required for those tools so 
that a senior decisionmaker will be able to assign an 
appropriate level of confidence against those results. 
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CONCLUSION 

This chapter has estabUshed a framework for eval- 
uating cyber issues; identified key policy issues that 
warrant analysis; identified potential MoMs for cyber 
analysis; characterized the state-of-the-art in perform- 
ing cyber analyses; and identified key areas that war- 
rant additional attention. As Figure 9-2 suggests, the 
analysis community's ability to assess cyber issues is 
uneven. It tends to be strongest in assessing cyber- 
space issues (in which computer science and electrical 
engineering issues predominate) and weakest in as- 
sessing cyber strategy and institutional factors. 


Legend: 



Figure 9-2. Assessment of Existing Cyber Tools. 

Overall, there will need to be a substantial infusion 
of resources to develop the methods, tools, data, and 
intellectual capital needed to address the concerns of 
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senior decisionmakers. However, given the limited 
resources that are available, it is suggested that high- 
est priority be given to the following activities. First, 
although there are interesting individual tools to sup- 
port the analyses of cyberspace, there is a need for 
an integrated suite of analysis tools. At the founda- 
tion of these tools, actions must be taken to enhance 
data collection. 

Second, the analysis community requires better 
tools to assess the impact of advances in cyberspace on 
broader military and informational effectiveness (e.g., 
land combat in complex terrain). Similarly, tools are 
necessary to assess the risks that ensue if an adversary 
is able to compromise net-centric operations. How- 
ever, there is extensive uncertainty about many of the 
key parameters that are introduced in the TO JMEMs 
frameworks (e.g., many of the parameters that char- 
acterize the probability of arrival and the probability 
of damage). This suggests that exploratory analysis 
techniques be used with these and comparable frame- 
works, to deal with the massive uncertainty in key 
parameters. Furthermore, since human responses to 
cyber actions are of great importance, there is a need 
for a HSCB Modeling Test Bed to enhance our ability 
to enhance HSCB modeling. 

Third, there is a need to develop tools that explore 
the impact of alternative mixes of offensive and defen- 
sive actions on deterrence strategies. This is extreme- 
ly important because of recent proposals that have 
emerged from the White House.^' Although emerg- 
ing societal tools are promising, it is vital that they 
be subject to rigorous validation, verification, and ac- 
creditation (VV&A) activities. Finally, there have been 
a number of studies of cyber attacks against nation- 
states (e.g., Estonia and Georgia). However, there is a 
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need for a more rigorous assessment to develop and 
implement lessons learned. 

Lastly, several efforts are underway to assess the 
effectiveness and impact of attacking critical infra- 
structures. However, if these tools are going to be 
valuable to senior decisionmakers, it is important that 
they be subject to rigorous VV&A efforts. 
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APPENDIX I 


ABBREVIATIONS AND ACRONYMS 


Acronym 

Meaning 

AoR 

Area of Responsibility 

CCDCOE 

Cooperative Cyber Defense Centre of Excellence 

CAMIO 

Cultural and Media Influences on Opinion 

CIP 

Critical Infrastructure Protection 

CNA 

Computer Network Attack 

COMPOEX 

Conflict Modeling, Planning & Outcomes Experimentation 

C-REA 

CNA Risk and Effectiveness Analyzer 

DAPSE 

Deterrence Analysis and Planning Support Environment 

DARPA 

Defense Advance Research Project Agency 

DDC 

Decision Deterrent Calculus 

DDoS 

Distributed Denial of Service 

DHS 

Department of Homeland Security 

DIME 

Diplomatic, Informational, Military, Economic 

DNS 

Domain Name Server 

EADSIM 

Extended Air Defense Simulation 

EPIC 

Effectiveness of Psychological Influence 

ERAM 

Effects and Response Analysis Module 

EW 

Electronic Warfare 

FAR 

Flexible, Adaptable, Robust 

GMU 

George Mason University 

HSCB 

Human, Social, Cultural Behavior 

lA 

Information Assurance 

10 

Information Operations 

IPv6 

Internet Protocol version 6 

IRMC 

Information Resource Management College 

JFCOM 

Joint Forces Command 
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JMEM 

Joint Munitions Effectiveness Manual 

LAIML 

Los Alamos National Laboratory 

LVC 

Live-Virtual-Constructive 

M&S 

Modeling and Simulation 

MACS 

McDonnell Air Combat Simulator 

MANET 

Mobile, Ad hoc, Network 

MMOGs 

Massively Multiplayer Online Games 

MoEs 

Measures of Effectiveness 

MoEEs 

Measures of Entity Empowerment 

MoFPs 

Measures of Functional Performance 

MoMs 

Measures of Merit 

MoPs 

Measures of Performance 

MORS 

Military Operations Research Society 

MTB 

Modeling Test Bed 


National Defense University 

NISAC 

National Infrastructure Simulation and Analysis Center 

NFS 

Naval Postgraduate School 

NRL 

Naval Research Laboratory 

ORNL 

Oak Ridge National Laboratory 

PMESII 

Political, Military, Economic, Social, Information, and 
Infrastructure 

PSYOP 

Psychological Operations 

SCADA 

Supervisory Control and Data Administration 

SEAS 

Synthetic Environment for Analysis and Simulation 

SEED 

Simulation, Experimentation and Efficient Designs 


Sandia National Laboratory 

STRATCOM 

Strategic Command 

US-CCU 

U.S. Cyber Consequences Unit 

V&V 

Verification and Validation 

W&A 

Verification, Validation, and Accreditation 
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